base/init-bare.bro

GLOBAL
JSON
NFS3
RADIUS
Reporter
SNMP
SOCKS
Threading
Tunnel
Unified2
X509
Namespaces:GLOBAL, JSON, NFS3, RADIUS, Reporter, SNMP, SOCKS, Threading, Tunnel, Unified2, X509
Imports:base/bif, base/bif/bro.bif.bro, base/bif/const.bif.bro, base/bif/event.bif.bro, base/bif/plugins, base/bif/plugins/Bro_SNMP.types.bif.bro, base/bif/reporter.bif.bro, base/bif/strings.bif.bro, base/bif/types.bif.bro, base/frameworks/analyzer, base/frameworks/files, base/frameworks/input, base/frameworks/logging
Source File:/scripts/base/init-bare.bro

Summary

Options

NFS3::return_data: bool &redef If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.
NFS3::return_data_first_only: bool &redef If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.
NFS3::return_data_max: count &redef If NFS3::return_data is true, how much data should be returned at most.
Reporter::errors_to_stderr: bool &redef Tunable for sending reporter error messages to STDERR.
Reporter::info_to_stderr: bool &redef Tunable for sending reporter info messages to STDERR.
Reporter::warnings_to_stderr: bool &redef Tunable for sending reporter warning messages to STDERR.
Threading::heartbeat_interval: interval &redef The heartbeat interval used by the threading framework.
Tunnel::delay_gtp_confirmation: bool &redef With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing protocol_confirmation.
Tunnel::delay_teredo_confirmation: bool &redef With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a protocol_confirmation.
Tunnel::enable_ayiya: bool &redef Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.
Tunnel::enable_gre: bool &redef Toggle whether to do GRE decapsulation.
Tunnel::enable_gtpv1: bool &redef Toggle whether to do GTPv1 decapsulation.
Tunnel::enable_ip: bool &redef Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.
Tunnel::enable_teredo: bool &redef Toggle whether to do IPv6-in-Teredo decapsulation.
Tunnel::ip_tunnel_timeout: interval &redef How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).
Tunnel::max_depth: count &redef The maximum depth of a tunnel to decapsulate until giving up.
Tunnel::yielding_teredo_decapsulation: bool &redef With this option set, the Teredo analysis will first check to see if other protocol analyzers have confirmed that they think they’re parsing the right protocol and only continue with Teredo tunnel decapsulation if nothing else has yet confirmed.
backdoor_stat_backoff: double &redef Deprecated.
backdoor_stat_period: interval &redef Deprecated.
bits_per_uid: count &redef Number of bits in UIDs that are generated to identify connections and files.
check_for_unused_event_handlers: bool &redef If true, warns about unused event handlers at startup.
cmd_line_bpf_filter: string &redef BPF filter the user has set via the -f command line options.
default_file_bof_buffer_size: count &redef Default amount of bytes that file analysis will buffer before raising file_new.
default_file_timeout_interval: interval &redef Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
detect_filtered_trace: bool &redef Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections.
dns_session_timeout: interval &redef Time to wait before timing out a DNS request.
dpd_buffer_size: count &redef Size of per-connection buffer used for dynamic protocol detection.
dpd_ignore_ports: bool &redef If true, don’t consider any ports for deciding which protocol analyzer to use.
dpd_match_only_beginning: bool &redef If true, stops signature matching if dpd_buffer_size has been reached.
dpd_reassemble_first_packets: bool &redef Reassemble the beginning of all TCP connections before doing signature matching.
enable_syslog: bool &redef Deprecated.
encap_hdr_size: count &redef If positive, indicates the encapsulation header size that should be skipped.
exit_only_after_terminate: bool &redef Flag to prevent Bro from exiting automatically when input is exhausted.
expensive_profiling_multiple: count &redef Multiples of profiling_interval at which (more expensive) memory profiling is done (0 disables).
forward_remote_events: bool &redef If true, broadcast events received from one peer to all other peers.
forward_remote_state_changes: bool &redef If true, broadcast state updates received from one peer to all other peers.
frag_timeout: interval &redef How long to hold onto fragments for possible reassembly.
gap_report_freq: interval &redef Rate at which to generate gap_report events assessing to what degree the measurement process appears to exhibit loss.
global_hash_seed: string &redef Seed for hashes computed internally for probabilistic data structures.
icmp_inactivity_timeout: interval &redef If an ICMP flow is inactive, time it out after this interval.
ignore_checksums: bool &redef If true, don’t verify checksums.
ignore_keep_alive_rexmit: bool &redef Ignore certain TCP retransmissions for conn_stats.
interconn_default_pkt_size: count &redef Deprecated.
interconn_max_interarrival: interval &redef Deprecated.
interconn_max_keystroke_pkt_size: count &redef Deprecated.
interconn_min_interarrival: interval &redef Deprecated.
interconn_stat_backoff: double &redef Deprecated.
interconn_stat_period: interval &redef Deprecated.
likely_server_ports: set &redef Ports which the core considers being likely used by servers.
log_encryption_key: string &redef Deprecated.
log_max_size: double &redef Deprecated.
log_rotate_base_time: string &redef Deprecated.
log_rotate_interval: interval &redef Deprecated.
max_files_in_cache: count &redef The maximum number of open files to keep cached at a given time.
max_remote_events_processed: count &redef With a similar trade-off, this gives the number of remote events to process in a batch before interleaving other activity.
max_timer_expires: count &redef The maximum number of timers to expire after processing each new packet.
non_analyzed_lifetime: interval &redef If a connection belongs to an application that we don’t analyze, time it out after this interval.
ntp_session_timeout: interval &redef Time to wait before timing out an NTP request.
packet_filter_default: bool &redef Default mode for Bro’s user-space dynamic packet filter.
partial_connection_ok: bool &redef If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.
passive_fingerprint_file: string &redef p0f fingerprint file to use.
peer_description: string &redef Description transmitted to remote communication peers for identification.
pkt_profile_freq: double &redef Frequency associated with packet profiling.
pkt_profile_mode: pkt_profile_modes &redef Output mode for packet profiling information.
profiling_interval: interval &redef Update interval for profiling (0 disables).
record_all_packets: bool &redef If a trace file is given with -w, dump all packets seen by Bro into it.
remote_check_sync_consistency: bool &redef Whether for &synchronized state to send the old value as a consistency check.
remote_trace_sync_interval: interval &redef Synchronize trace processing at a regular basis in pseudo-realtime mode.
remote_trace_sync_peers: count &redef Number of peers across which to synchronize trace processing in pseudo-realtime mode.
report_gaps_for_partial: bool &redef Whether we want content_gap and gap_report for partial connections.
rpc_timeout: interval &redef Time to wait before timing out an RPC request.
segment_profiling: bool &redef If true, then write segment profiling information (very high volume!) in addition to profiling statistics.
sig_max_group_size: count &redef Maximum size of regular expression groups for signature matching.
skip_http_data: bool &redef Skip HTTP data for performance considerations.
snaplen: count &redef Number of bytes per packet to capture from live interfaces.
ssl_ca_certificate: string &redef The CA certificate file to authorize remote Bros/Broccolis.
ssl_passphrase: string &redef The passphrase for our private key.
ssl_private_key: string &redef File containing our private key and our certificate.
state_dir: string &redef Specifies a directory for Bro to store its persistent state.
state_write_delay: interval &redef Length of the delays inserted when storing state incrementally.
stp_delta: interval &redef Internal to the stepping stone detector.
stp_idle_min: interval &redef Internal to the stepping stone detector.
suppress_local_output: bool &redef Deprecated.
table_expire_delay: interval &redef When expiring table entries, wait this amount of time before checking the next chunk of entries.
table_expire_interval: interval &redef Check for expired table entries after this amount of time.
table_incremental_step: count &redef When expiring/serializing table entries, don’t work on more than this many table entries at a time.
tcp_SYN_ack_ok: bool &redef If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if partial_connection_ok is false).
tcp_SYN_timeout: interval &redef Check up on the result of an initial SYN after this much time.
tcp_attempt_delay: interval &redef Wait this long upon seeing an initial SYN before timing out the connection attempt.
tcp_close_delay: interval &redef Upon seeing a normal connection close, flush state after this much time.
tcp_connection_linger: interval &redef When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long.
tcp_content_deliver_all_orig: bool &redef If true, all TCP originator-side traffic is reported via tcp_contents.
tcp_content_deliver_all_resp: bool &redef If true, all TCP responder-side traffic is reported via tcp_contents.
tcp_content_delivery_ports_orig: table &redef Defines destination TCP ports for which the contents of the originator stream should be delivered via tcp_contents.
tcp_content_delivery_ports_resp: table &redef Defines destination TCP ports for which the contents of the responder stream should be delivered via tcp_contents.
tcp_excessive_data_without_further_acks: count &redef If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff.
tcp_inactivity_timeout: interval &redef If a TCP connection is inactive, time it out after this interval.
tcp_match_undelivered: bool &redef If true, pass any undelivered to the signature engine before flushing the state.
tcp_max_above_hole_without_any_acks: count &redef If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection.
tcp_max_initial_window: count &redef Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks).
tcp_partial_close_delay: interval &redef Generate a connection_partial_close event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.
tcp_reassembler_ports_orig: set &redef For services without a handler, these sets define originator-side ports that still trigger reassembly.
tcp_reassembler_ports_resp: set &redef For services without a handler, these sets define responder-side ports that still trigger reassembly.
tcp_reset_delay: interval &redef Upon seeing a RST, flush state after this much time.
tcp_session_timer: interval &redef After a connection has closed, wait this long for further activity before checking whether to time out its state.
tcp_storm_interarrival_thresh: interval &redef FINs/RSTs must come with this much time or less between them to be considered a “storm”.
tcp_storm_thresh: count &redef Number of FINs/RSTs in a row that constitute a “storm”.
time_machine_profiling: bool &redef If true, output profiling for Time-Machine queries.
timer_mgr_inactivity_timeout: interval &redef Per-incident timer managers are drained after this amount of inactivity.
truncate_http_URI: int &redef Maximum length of HTTP URIs passed to events.
udp_content_deliver_all_orig: bool &redef If true, all UDP originator-side traffic is reported via udp_contents.
udp_content_deliver_all_resp: bool &redef If true, all UDP responder-side traffic is reported via udp_contents.
udp_content_delivery_ports_orig: table &redef Defines UDP destination ports for which the contents of the originator stream should be delivered via udp_contents.
udp_content_delivery_ports_resp: table &redef Defines UDP destination ports for which the contents of the responder stream should be delivered via udp_contents.
udp_inactivity_timeout: interval &redef If a UDP flow is inactive, time it out after this interval.
use_conn_size_analyzer: bool &redef Whether to use the ConnSize analyzer to count the number of packets and IP-level bytes transferred by each endpoint.
watchdog_interval: interval &redef Bro’s watchdog interval.

Constants

CONTENTS_BOTH: count Record both originator and responder contents.
CONTENTS_NONE: count Turn off recording of contents.
CONTENTS_ORIG: count Record originator contents.
CONTENTS_RESP: count Record responder contents.
DNS_ADDL: count An additional record.
DNS_ANS: count An answer record.
DNS_AUTH: count An authoritative record.
DNS_QUERY: count A query.
ENDIAN_BIG: count Big endian.
ENDIAN_CONFUSED: count Tried to determine endian, but failed.
ENDIAN_LITTLE: count Little endian.
ENDIAN_UNKNOWN: count Endian not yet determined.
ICMP_UNREACH_ADMIN_PROHIB: count Administratively prohibited.
ICMP_UNREACH_HOST: count Host unreachable.
ICMP_UNREACH_NEEDFRAG: count Fragment needed.
ICMP_UNREACH_NET: count Network unreachable.
ICMP_UNREACH_PORT: count Port unreachable.
ICMP_UNREACH_PROTOCOL: count Protocol unreachable.
IPPROTO_AH: count IPv6 authentication header.
IPPROTO_DSTOPTS: count IPv6 destination options header.
IPPROTO_ESP: count IPv6 encapsulating security payload header.
IPPROTO_FRAGMENT: count IPv6 fragment header.
IPPROTO_HOPOPTS: count IPv6 hop-by-hop-options header.
IPPROTO_ICMP: count Control message protocol.
IPPROTO_ICMPV6: count ICMP for IPv6.
IPPROTO_IGMP: count Group management protocol.
IPPROTO_IP: count Dummy for IP.
IPPROTO_IPIP: count IP encapsulation in IP.
IPPROTO_IPV6: count IPv6 header.
IPPROTO_MOBILITY: count IPv6 mobility header.
IPPROTO_NONE: count IPv6 no next header.
IPPROTO_RAW: count Raw IP packet.
IPPROTO_ROUTING: count IPv6 routing header.
IPPROTO_TCP: count TCP.
IPPROTO_UDP: count User datagram protocol.
LOGIN_STATE_AUTHENTICATE: count  
LOGIN_STATE_CONFUSED: count  
LOGIN_STATE_LOGGED_IN: count  
LOGIN_STATE_SKIP: count  
PEER_ID_NONE: count Place-holder constant indicating “no peer”.
REMOTE_LOG_ERROR: count Deprecated.
REMOTE_LOG_INFO: count Deprecated.
REMOTE_SRC_CHILD: count Message from the child process.
REMOTE_SRC_PARENT: count Message from the parent process.
REMOTE_SRC_SCRIPT: count Message from a policy script.
RPC_status: table Mapping of numerical RPC status codes to readable messages.
SNMP::OBJ_COUNTER32_TAG: count Unsigned 32-bit integer.
SNMP::OBJ_COUNTER64_TAG: count Unsigned 64-bit integer.
SNMP::OBJ_ENDOFMIBVIEW_TAG: count A NULL value.
SNMP::OBJ_INTEGER_TAG: count Signed 64-bit integer.
SNMP::OBJ_IPADDRESS_TAG: count An IP address.
SNMP::OBJ_NOSUCHINSTANCE_TAG: count A NULL value.
SNMP::OBJ_NOSUCHOBJECT_TAG: count A NULL value.
SNMP::OBJ_OCTETSTRING_TAG: count An octet string.
SNMP::OBJ_OID_TAG: count An Object Identifier.
SNMP::OBJ_OPAQUE_TAG: count An octet string.
SNMP::OBJ_TIMETICKS_TAG: count Unsigned 32-bit integer.
SNMP::OBJ_UNSIGNED32_TAG: count Unsigned 32-bit integer.
SNMP::OBJ_UNSPECIFIED_TAG: count A NULL value.
TCP_CLOSED: count Endpoint has closed connection.
TCP_ESTABLISHED: count Endpoint has finished initial handshake regularly.
TCP_INACTIVE: count Endpoint is still inactive.
TCP_PARTIAL: count Endpoint has sent data but no initial SYN.
TCP_RESET: count Endpoint has sent RST.
TCP_SYN_ACK_SENT: count Endpoint has sent SYN/ACK.
TCP_SYN_SENT: count Endpoint has sent SYN.
TH_ACK: count ACK.
TH_FIN: count FIN.
TH_FLAGS: count Mask combining all flags.
TH_PUSH: count PUSH.
TH_RST: count RST.
TH_SYN: count SYN.
TH_URG: count URG.
UDP_ACTIVE: count Endpoint has sent something.
UDP_INACTIVE: count Endpoint is still inactive.
trace_output_file: string Holds the filename of the trace file given with -w (empty if none).

State Variables

capture_filters: table &redef Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique).
direct_login_prompts: set &redef TODO.
discarder_maxlen: count &redef Maximum length of payload passed to discarder functions.
dns_max_queries: count If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it.
dns_skip_addl: set &redef For DNS servers in these sets, omit processing the ADDL records they include in their replies.
dns_skip_all_addl: bool &redef If true, all DNS ADDL records are skipped.
dns_skip_all_auth: bool &redef If true, all DNS AUTH records are skipped.
dns_skip_auth: set &redef For DNS servers in these sets, omit processing the AUTH records they include in their replies.
done_with_network: bool  
generate_OS_version_event: set &redef Defines for which subnets we should do passive fingerprinting.
http_entity_data_delivery_size: count &redef Maximum number of HTTP entity data delivered to events.
interfaces: string &add_func = add_interface &redef Network interfaces to listen on.
irc_servers: set &redef Deprecated.
load_sample_freq: count &redef Rate at which to generate load_sample events.
login_failure_msgs: set &redef TODO.
login_non_failure_msgs: set &redef TODO.
login_prompts: set &redef TODO.
login_success_msgs: set &redef TODO.
login_timeouts: set &redef TODO.
mime_segment_length: count &redef The length of MIME data segments delivered to handlers of mime_segment_data.
mime_segment_overlap_length: count &redef The number of bytes of overlap between successive segments passed to mime_segment_data.
pkt_profile_file: file &redef File where packet profiles are logged.
profiling_file: file &redef Write profiling info into this file in regular intervals.
restrict_filters: table &redef Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).
samba_cmds: table &redef &default = function &optional Maps SMB command numbers to descriptive names.
secondary_filters: table &redef Definition of “secondary filters”.
signature_files: string &add_func = add_signature_file &redef Signature files to read.
skip_authentication: set &redef TODO.
stp_skip_src: set &redef Internal to the stepping stone detector.

Types

EncapsulatingConnVector: vector A type alias for a vector of encapsulating “connections”, i.e.
IPAddrAnonymization: enum Deprecated.
IPAddrAnonymizationClass: enum Deprecated.
JSON::TimestampFormat: enum  
ModbusCoils: vector  
ModbusHeaders: record  
ModbusRegisters: vector  
NFS3::delobj_reply_t: record NFS reply for remove, rmdir.
NFS3::direntry_t: record NFS direntry.
NFS3::direntry_vec_t: vector Vector of NFS direntry.
NFS3::diropargs_t: record NFS readdir arguments.
NFS3::fattr_t: record NFS file attributes.
NFS3::fsstat_t: record NFS fsstat.
NFS3::info_t: record Record summarizing the general results and status of NFSv3 request/reply pairs.
NFS3::lookup_reply_t: record NFS lookup reply.
NFS3::newobj_reply_t: record NFS reply for create, mkdir, and symlink.
NFS3::read_reply_t: record NFS read reply.
NFS3::readargs_t: record NFS read arguments.
NFS3::readdir_reply_t: record NFS readdir reply.
NFS3::readdirargs_t: record NFS readdir arguments.
NFS3::readlink_reply_t: record NFS readline reply.
NFS3::wcc_attr_t: record NFS wcc attributes.
NFS3::write_reply_t: record NFS write reply.
NFS3::writeargs_t: record NFS write arguments.
NetStats: record Packet capture statistics.
OS_version: record Passive fingerprinting match.
OS_version_inference: enum Quality of passive fingerprinting matches.
PcapFilterID: enum Enum type identifying dynamic BPF filters.
RADIUS::AttributeList: vector  
RADIUS::Attributes: table  
RADIUS::Message: record  
SNMP::Binding: record The VarBind data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.
SNMP::Bindings: vector A VarBindList data structure from either RFC 1157 or RFC 3416.
SNMP::BulkPDU: record A BulkPDU data structure from RFC 3416.
SNMP::Header: record A generic SNMP header data structure that may include data from any version of SNMP.
SNMP::HeaderV1: record The top-level message data structure of an SNMPv1 datagram, not including the PDU data.
SNMP::HeaderV2: record The top-level message data structure of an SNMPv2 datagram, not including the PDU data.
SNMP::HeaderV3: record The top-level message data structure of an SNMPv3 datagram, not including the PDU data.
SNMP::ObjectValue: record A generic SNMP object value, that may include any of the valid ObjectSyntax values from RFC 1155 or RFC 3416.
SNMP::PDU: record A PDU data structure from either RFC 1157 or RFC 3416.
SNMP::ScopedPDU_Context: record The ScopedPduData data structure of an SNMPv3 datagram, not including the PDU data (i.e.
SNMP::TrapPDU: record A Trap-PDU data structure from RFC 1157.
SOCKS::Address: record &log This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.
SYN_packet: record Fields of a SYN packet.
Tunnel::EncapsulatingConn: record &log Records the identity of an encapsulating parent of a tunneled connection.
Unified2::IDSEvent: record  
Unified2::Packet: record  
X509::BasicConstraints: record &log  
X509::Certificate: record &log  
X509::Extension: record  
X509::Result: record Result of an X509 certificate chain verification
X509::SubjectAlternativeName: record  
addr_set: set A set of addresses.
addr_vec: vector A vector of addresses.
any_vec: vector A vector of any, used by some builtin functions to store a list of varying types.
backdoor_endp_stats: record Deprecated.
bittorrent_benc_dir: table A table of BitTorrent “benc” values.
bittorrent_benc_value: record BitTorrent “benc” value.
bittorrent_peer: record A BitTorrent peer.
bittorrent_peer_set: set A set of BitTorrent peers.
bro_resources: record Statistics about Bro’s resource consumption.
bt_tracker_headers: table Header table type used by BitTorrent analyzer.
call_argument: record Meta-information about a parameter to a function/event.
call_argument_vector: vector Vector type used to capture parameters of a function/event call.
conn_id: record &log A connection’s identifying 4-tuple of endpoints and ports.
connection: record A connection.
count_set: set A set of counts.
dhcp_msg: record A DHCP message.
dhcp_router_list: table A list of router addresses offered by a DHCP server.
dns_answer: record The general part of a DNS reply.
dns_edns_additional: record An additional DNS EDNS record.
dns_mapping: record  
dns_msg: record A DNS message.
dns_soa: record A DNS SOA record.
dns_tsig_additional: record An additional DNS TSIG record.
endpoint: record Statistics about a connection endpoint.
endpoint_stats: record Statistics about what a TCP endpoint sent.
entropy_test_result: record Computed entropy values.
event_peer: record A communication peer.
fa_file: record &redef A file that Bro is analyzing.
ftp_port: record A parsed host/port combination describing server endpoint for an upcoming data transfer.
gap_info: record Statistics about number of gaps in TCP connections.
geo_location: record &log GeoIP location information.
gtp_access_point_name: string  
gtp_cause: count  
gtp_charging_characteristics: count  
gtp_charging_gateway_addr: addr  
gtp_charging_id: count  
gtp_create_pdp_ctx_request_elements: record  
gtp_create_pdp_ctx_response_elements: record  
gtp_delete_pdp_ctx_request_elements: record  
gtp_delete_pdp_ctx_response_elements: record  
gtp_end_user_addr: record  
gtp_gsn_addr: record  
gtp_imsi: count  
gtp_msisdn: string  
gtp_nsapi: count  
gtp_omc_id: string  
gtp_private_extension: record  
gtp_proto_config_options: string  
gtp_qos_profile: record  
gtp_rai: record  
gtp_recovery: count  
gtp_reordering_required: bool  
gtp_selection_mode: count  
gtp_teardown_ind: bool  
gtp_teid1: count  
gtp_teid_control_plane: count  
gtp_tft: string  
gtp_trace_reference: count  
gtp_trace_type: count  
gtp_trigger_id: string  
gtp_update_pdp_ctx_request_elements: record  
gtp_update_pdp_ctx_response_elements: record  
gtpv1_hdr: record A GTPv1 (GPRS Tunneling Protocol) header.
http_message_stat: record HTTP message statistics.
http_stats_rec: record HTTP session statistics.
icmp6_nd_option: record Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.
icmp6_nd_options: vector A type alias for a vector of ICMPv6 neighbor discovery message options.
icmp6_nd_prefix_info: record Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.
icmp_conn: record Specifics about an ICMP conversation.
icmp_context: record Packet context part of an ICMP message.
icmp_hdr: record Values extracted from an ICMP header.
id_table: table Table type used to map script-level identifiers to meta-information describing them.
index_vec: vector A vector of counts, used by some builtin functions to store a list of indices.
interconn_endp_stats: record Deprecated.
ip4_hdr: record Values extracted from an IPv4 header.
ip6_ah: record Values extracted from an IPv6 Authentication extension header.
ip6_dstopts: record Values extracted from an IPv6 Destination options extension header.
ip6_esp: record Values extracted from an IPv6 ESP extension header.
ip6_ext_hdr: record A general container for a more specific IPv6 extension header.
ip6_ext_hdr_chain: vector A type alias for a vector of IPv6 extension headers.
ip6_fragment: record Values extracted from an IPv6 Fragment extension header.
ip6_hdr: record Values extracted from an IPv6 header.
ip6_hopopts: record Values extracted from an IPv6 Hop-by-Hop options extension header.
ip6_mobility_back: record Values extracted from an IPv6 Mobility Binding Acknowledgement message.
ip6_mobility_be: record Values extracted from an IPv6 Mobility Binding Error message.
ip6_mobility_brr: record Values extracted from an IPv6 Mobility Binding Refresh Request message.
ip6_mobility_bu: record Values extracted from an IPv6 Mobility Binding Update message.
ip6_mobility_cot: record Values extracted from an IPv6 Mobility Care-of Test message.
ip6_mobility_coti: record Values extracted from an IPv6 Mobility Care-of Test Init message.
ip6_mobility_hdr: record Values extracted from an IPv6 Mobility header.
ip6_mobility_hot: record Values extracted from an IPv6 Mobility Home Test message.
ip6_mobility_hoti: record Values extracted from an IPv6 Mobility Home Test Init message.
ip6_mobility_msg: record Values extracted from an IPv6 Mobility header’s message data.
ip6_option: record Values extracted from an IPv6 extension header’s (e.g.
ip6_options: vector A type alias for a vector of IPv6 options.
ip6_routing: record Values extracted from an IPv6 Routing extension header.
irc_join_info: record IRC join information.
irc_join_list: set Set of IRC join information.
load_sample_info: set  
matcher_stats: record Summary statistics of all regular expression matchers.
mime_header_list: table A list of MIME headers.
mime_header_rec: record A MIME header key/value pair.
mime_match: record A structure indicating a MIME type and strength of a match against file magic signatures.
mime_matches: vector A vector of file magic signature matches, ordered by strength of the signature, strongest first.
nf_v5_header: record A NetFlow v5 header.
nf_v5_record: record A NetFlow v5 record.
nfheader_id: record ID for NetFlow header.
ntp_msg: record An NTP message.
packet: record Deprecated.
pcap_packet: record Policy-level representation of a packet passed on by libpcap.
peer_id: count A locally unique ID identifying a communication peer.
pkt_hdr: record A packet header, consisting of an IP header and transport-layer header.
pkt_profile_modes: enum Output modes for packet profiling information.
pm_callit_request: record An RPC portmapper callit request.
pm_mapping: record An RPC portmapper mapping.
pm_mappings: table Table of RPC portmapper mappings.
pm_port_request: record An RPC portmapper request.
record_field: record Meta-information about a record field.
record_field_table: table Table type used to map record field declarations to meta-information describing them.
rotate_info: record Deprecated.
script_id: record Meta-information about a script-level identifier.
signature_state: record Description of a signature match.
smb_hdr: record An SMB command header.
smb_negotiate: table Deprecated.
smb_trans: record An SMB transaction.
smb_trans_data: record SMB transaction data.
smb_tree_connect: record Deprecated.
software: record  
software_version: record  
string_array: table An ordered array of strings.
string_set: set A set of strings.
string_vec: vector A vector of strings.
sw_align: record Helper type for return value of Smith-Waterman algorithm.
sw_align_vec: vector Helper type for return value of Smith-Waterman algorithm.
sw_params: record Parameters for the Smith-Waterman algorithm.
sw_substring: record Helper type for return value of Smith-Waterman algorithm.
sw_substring_vec: vector Return type for Smith-Waterman algorithm.
table_string_of_string: table A table of strings indexed by strings.
tcp_hdr: record Values extracted from a TCP header.
teredo_auth: record A Teredo origin indication header.
teredo_hdr: record A Teredo packet header.
teredo_origin: record A Teredo authentication header.
transport_proto: enum A connection’s transport-layer protocol.
udp_hdr: record Values extracted from a UDP header.
var_sizes: table Table type used to map variable names to their memory allocation.
x509_opaque_vector: vector A vector of x509 opaques.

Functions

add_interface: function Internal function.
add_signature_file: function Internal function.
append_addl: function Deprecated.
append_addl_marker: function Deprecated.
discarder_check_icmp: function Function for skipping packets based on their ICMP header.
discarder_check_ip: function Function for skipping packets based on their IP header.
discarder_check_tcp: function Function for skipping packets based on their TCP header.
discarder_check_udp: function Function for skipping packets based on their UDP header.
log_file_name: function &redef Deprecated.
max_count: function Returns maximum of two count values.
max_double: function Returns maximum of two double values.
max_interval: function Returns maximum of two interval values.
min_count: function Returns minimum of two count values.
min_double: function Returns minimum of two double values.
min_interval: function Returns minimum of two interval values.
open_log_file: function &redef Deprecated.

Detailed Interface

Options

NFS3::return_data
Type:bool
Attributes:&redef
Default:F

If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.

See also: NFS3::return_data_max, NFS3::return_data_first_only

NFS3::return_data_first_only
Type:bool
Attributes:&redef
Default:T

If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.

NFS3::return_data_max
Type:count
Attributes:&redef
Default:512

If NFS3::return_data is true, how much data should be returned at most.

Reporter::errors_to_stderr
Type:bool
Attributes:&redef
Default:T

Tunable for sending reporter error messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.

Reporter::info_to_stderr
Type:bool
Attributes:&redef
Default:T

Tunable for sending reporter info messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.

Reporter::warnings_to_stderr
Type:bool
Attributes:&redef
Default:T

Tunable for sending reporter warning messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.

Threading::heartbeat_interval
Type:interval
Attributes:&redef
Default:1.0 sec

The heartbeat interval used by the threading framework. Changing this should usually not be necessary and will break several tests.

Tunnel::delay_gtp_confirmation
Type:bool
Attributes:&redef
Default:F

With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing protocol_confirmation. If it’s false, the first occurrence of a packet with valid GTPv1 encapsulation causes confirmation. Since the same inner connection can be carried differing outer upflow/downflow connections, setting to false may work better.

Tunnel::delay_teredo_confirmation
Type:bool
Attributes:&redef
Default:T

With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a protocol_confirmation. If it’s false, the first occurrence of a packet with valid Teredo encapsulation causes a confirmation. Both cases are still subject to effects of Tunnel::yielding_teredo_decapsulation.

Tunnel::enable_ayiya
Type:bool
Attributes:&redef
Default:T

Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.

Tunnel::enable_gre
Type:bool
Attributes:&redef
Default:T

Toggle whether to do GRE decapsulation.

Tunnel::enable_gtpv1
Type:bool
Attributes:&redef
Default:T

Toggle whether to do GTPv1 decapsulation.

Tunnel::enable_ip
Type:bool
Attributes:&redef
Default:T

Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.

Tunnel::enable_teredo
Type:bool
Attributes:&redef
Default:T

Toggle whether to do IPv6-in-Teredo decapsulation.

Tunnel::ip_tunnel_timeout
Type:interval
Attributes:&redef
Default:1.0 day

How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).

Tunnel::max_depth
Type:count
Attributes:&redef
Default:2

The maximum depth of a tunnel to decapsulate until giving up. Setting this to zero will disable all types of tunnel decapsulation.

Tunnel::yielding_teredo_decapsulation
Type:bool
Attributes:&redef
Default:T

With this option set, the Teredo analysis will first check to see if other protocol analyzers have confirmed that they think they’re parsing the right protocol and only continue with Teredo tunnel decapsulation if nothing else has yet confirmed. This can help reduce false positives of UDP traffic (e.g. DNS) that also happens to have a valid Teredo encapsulation.

backdoor_stat_backoff
Type:double
Attributes:&redef

Deprecated.

backdoor_stat_period
Type:interval
Attributes:&redef

Deprecated.

bits_per_uid
Type:count
Attributes:&redef
Default:96

Number of bits in UIDs that are generated to identify connections and files. The larger the value, the more confidence in UID uniqueness. The maximum is currently 128 bits.

check_for_unused_event_handlers
Type:bool
Attributes:&redef
Default:F

If true, warns about unused event handlers at startup.

cmd_line_bpf_filter
Type:string
Attributes:&redef
Default:""

BPF filter the user has set via the -f command line options. Empty if none.

default_file_bof_buffer_size
Type:count
Attributes:&redef
Default:1024

Default amount of bytes that file analysis will buffer before raising file_new.

default_file_timeout_interval
Type:interval
Attributes:&redef
Default:2.0 mins

Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.

detect_filtered_trace
Type:bool
Attributes:&redef
Default:F

Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections. If this is enabled, then missing data at the end of connections may not be reported via content_gap.

dns_session_timeout
Type:interval
Attributes:&redef
Default:10.0 secs

Time to wait before timing out a DNS request.

dpd_buffer_size
Type:count
Attributes:&redef
Default:1024

Size of per-connection buffer used for dynamic protocol detection. For each connection, Bro buffers this initial amount of payload in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.

See also: dpd_reassemble_first_packets, dpd_match_only_beginning, dpd_ignore_ports

dpd_ignore_ports
Type:bool
Attributes:&redef
Default:F

If true, don’t consider any ports for deciding which protocol analyzer to use.

See also: dpd_reassemble_first_packets, dpd_buffer_size, dpd_match_only_beginning

dpd_match_only_beginning
Type:bool
Attributes:&redef
Default:T

If true, stops signature matching if dpd_buffer_size has been reached.

See also: dpd_reassemble_first_packets, dpd_buffer_size, dpd_ignore_ports

Note

Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.

dpd_reassemble_first_packets
Type:bool
Attributes:&redef
Default:T

Reassemble the beginning of all TCP connections before doing signature matching. Enabling this provides more accurate matching at the expense of CPU cycles.

See also: dpd_buffer_size, dpd_match_only_beginning, dpd_ignore_ports

Note

Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.

enable_syslog
Type:bool
Attributes:&redef
Default:F

Deprecated. No longer functional.

encap_hdr_size
Type:count
Attributes:&redef
Default:0

If positive, indicates the encapsulation header size that should be skipped. This applies to all packets.

exit_only_after_terminate
Type:bool
Attributes:&redef
Default:F

Flag to prevent Bro from exiting automatically when input is exhausted. Normally Bro terminates when all packet sources have gone dry and communication isn’t enabled. If this flag is set, Bro’s main loop will instead keep idling until terminate is explicitly called.

This is mainly for testing purposes when termination behaviour needs to be controlled for reproducing results.

expensive_profiling_multiple
Type:count
Attributes:&redef
Default:20

Multiples of profiling_interval at which (more expensive) memory profiling is done (0 disables).

See also: profiling_interval, profiling_file, segment_profiling

forward_remote_events
Type:bool
Attributes:&redef
Default:F

If true, broadcast events received from one peer to all other peers.

See also: forward_remote_state_changes

Note

This option is only temporary and will disappear once we get a more sophisticated script-level communication framework.

forward_remote_state_changes
Type:bool
Attributes:&redef
Default:F

If true, broadcast state updates received from one peer to all other peers.

See also: forward_remote_events

Note

This option is only temporary and will disappear once we get a more sophisticated script-level communication framework.

frag_timeout
Type:interval
Attributes:&redef
Default:5.0 mins

How long to hold onto fragments for possible reassembly. A value of 0.0 means “forever”, which resists evasion, but can lead to state accrual.

gap_report_freq
Type:interval
Attributes:&redef
Default:1.0 sec

Rate at which to generate gap_report events assessing to what degree the measurement process appears to exhibit loss.

See also: gap_report

global_hash_seed
Type:string
Attributes:&redef
Default:""

Seed for hashes computed internally for probabilistic data structures. Using the same value here will make the hashes compatible between independent Bro instances. If left unset, Bro will use a temporary local seed.

icmp_inactivity_timeout
Type:interval
Attributes:&redef
Default:1.0 min

If an ICMP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: tcp_inactivity_timeout, udp_inactivity_timeout, set_inactivity_timeout

ignore_checksums
Type:bool
Attributes:&redef
Default:F

If true, don’t verify checksums. Useful for running on altered trace files, and for saving a few cycles, but at the risk of analyzing invalid data. Note that the -C command-line option overrides the setting of this variable.

ignore_keep_alive_rexmit
Type:bool
Attributes:&redef
Default:F

Ignore certain TCP retransmissions for conn_stats. Some connections (e.g., SSH) retransmit the acknowledged last byte to keep the connection alive. If ignore_keep_alive_rexmit is set to true, such retransmissions will be excluded in the rexmit counter in conn_stats.

See also: conn_stats

interconn_default_pkt_size
Type:count
Attributes:&redef

Deprecated.

interconn_max_interarrival
Type:interval
Attributes:&redef

Deprecated.

interconn_max_keystroke_pkt_size
Type:count
Attributes:&redef

Deprecated.

interconn_min_interarrival
Type:interval
Attributes:&redef

Deprecated.

interconn_stat_backoff
Type:double
Attributes:&redef

Deprecated.

interconn_stat_period
Type:interval
Attributes:&redef

Deprecated.

likely_server_ports
Type:set [port]
Attributes:&redef
Default:
{
   5223/tcp,
   8080/tcp,
   162/udp,
   502/tcp,
   587/tcp,
   21/tcp,
   3128/tcp,
   993/tcp,
   22/tcp,
   2152/udp,
   636/tcp,
   992/tcp,
   631/tcp,
   161/udp,
   3544/udp,
   5355/udp,
   8000/tcp,
   6667/tcp,
   25/tcp,
   5072/udp,
   53/tcp,
   585/tcp,
   80/tcp,
   81/tcp,
   563/tcp,
   995/tcp,
   1080/tcp,
   53/udp,
   989/tcp,
   514/udp,
   6666/tcp,
   2123/udp,
   20000/tcp,
   2811/tcp,
   5353/udp,
   443/tcp,
   6668/tcp,
   6669/tcp,
   137/udp,
   990/tcp,
   67/udp,
   614/tcp,
   8888/tcp
}

Ports which the core considers being likely used by servers. For ports in this set, it may heuristically decide to flip the direction of the connection if it misses the initial handshake.

log_encryption_key
Type:string
Attributes:&redef
Default:"<undefined>"

Deprecated.

log_max_size
Type:double
Attributes:&redef
Default:0.0

Deprecated.

log_rotate_base_time
Type:string
Attributes:&redef
Default:"0:00"

Deprecated.

log_rotate_interval
Type:interval
Attributes:&redef
Default:0 secs

Deprecated.

max_files_in_cache
Type:count
Attributes:&redef
Default:0

The maximum number of open files to keep cached at a given time. If set to zero, this is automatically determined by inspecting the current/maximum limit on open files for the process.

max_remote_events_processed
Type:count
Attributes:&redef
Default:10

With a similar trade-off, this gives the number of remote events to process in a batch before interleaving other activity.

max_timer_expires
Type:count
Attributes:&redef
Default:300

The maximum number of timers to expire after processing each new packet. The value trades off spreading out the timer expiration load with possibly having to hold state longer. A value of 0 means “process all expired timers with each new packet”.

non_analyzed_lifetime
Type:interval
Attributes:&redef
Default:0 secs

If a connection belongs to an application that we don’t analyze, time it out after this interval. If 0 secs, then don’t time it out (but tcp_inactivity_timeout, udp_inactivity_timeout, and icmp_inactivity_timeout still apply).

ntp_session_timeout
Type:interval
Attributes:&redef
Default:5.0 mins

Time to wait before timing out an NTP request.

packet_filter_default
Type:bool
Attributes:&redef
Default:F

Default mode for Bro’s user-space dynamic packet filter. If true, packets that aren’t explicitly allowed through, are dropped from any further processing.

Note

This is not the BPF packet filter but an additional dynamic filter that Bro optionally applies just before normal processing starts.

See also: install_dst_addr_filter, install_dst_net_filter, install_src_addr_filter, install_src_net_filter, uninstall_dst_addr_filter, uninstall_dst_net_filter, uninstall_src_addr_filter, uninstall_src_net_filter

partial_connection_ok
Type:bool
Attributes:&redef
Default:T

If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.

passive_fingerprint_file
Type:string
Attributes:&redef
Default:"base/misc/p0f.fp"

p0f fingerprint file to use. Will be searched relative to BROPATH.

peer_description
Type:string
Attributes:&redef
Default:"bro"

Description transmitted to remote communication peers for identification.

pkt_profile_freq
Type:double
Attributes:&redef
Default:0.0

Frequency associated with packet profiling.

See also: pkt_profile_modes, pkt_profile_mode, pkt_profile_file

pkt_profile_mode
Type:pkt_profile_modes
Attributes:&redef
Default:PKT_PROFILE_MODE_NONE

Output mode for packet profiling information.

See also: pkt_profile_modes, pkt_profile_freq, pkt_profile_file

profiling_interval
Type:interval
Attributes:&redef
Default:15.0 secs

Update interval for profiling (0 disables). The easiest way to activate profiling is loading policy/misc/profiling.bro.

See also: profiling_file, expensive_profiling_multiple, segment_profiling

record_all_packets
Type:bool
Attributes:&redef
Default:F

If a trace file is given with -w, dump all packets seen by Bro into it. By default, Bro applies (very few) heuristics to reduce the volume. A side effect of setting this to true is that we can write the packets out before we actually process them, which can be helpful for debugging in case the analysis triggers a crash.

See also: trace_output_file

remote_check_sync_consistency
Type:bool
Attributes:&redef
Default:F

Whether for &synchronized state to send the old value as a consistency check.

remote_trace_sync_interval
Type:interval
Attributes:&redef
Default:0 secs

Synchronize trace processing at a regular basis in pseudo-realtime mode.

See also: remote_trace_sync_peers

remote_trace_sync_peers
Type:count
Attributes:&redef
Default:0

Number of peers across which to synchronize trace processing in pseudo-realtime mode.

See also: remote_trace_sync_interval

report_gaps_for_partial
Type:bool
Attributes:&redef
Default:F

Whether we want content_gap and gap_report for partial connections. A connection is partial if it is missing a full handshake. Note that gap reports for partial connections might not be reliable.

See also: content_gap, gap_report, partial_connection

rpc_timeout
Type:interval
Attributes:&redef
Default:24.0 secs

Time to wait before timing out an RPC request.

segment_profiling
Type:bool
Attributes:&redef
Default:F

If true, then write segment profiling information (very high volume!) in addition to profiling statistics.

See also: profiling_interval, expensive_profiling_multiple, profiling_file

sig_max_group_size
Type:count
Attributes:&redef
Default:50

Maximum size of regular expression groups for signature matching.

skip_http_data
Type:bool
Attributes:&redef
Default:F

Skip HTTP data for performance considerations. The skipped portion will not go through TCP reassembly.

See also: http_entity_data, skip_http_entity_data, http_entity_data_delivery_size

snaplen
Type:count
Attributes:&redef
Default:8192

Number of bytes per packet to capture from live interfaces.

ssl_ca_certificate
Type:string
Attributes:&redef
Default:"<undefined>"

The CA certificate file to authorize remote Bros/Broccolis.

See also: ssl_private_key, ssl_passphrase

ssl_passphrase
Type:string
Attributes:&redef
Default:"<undefined>"

The passphrase for our private key. Keeping this undefined causes Bro to prompt for the passphrase.

See also: ssl_private_key, ssl_ca_certificate

ssl_private_key
Type:string
Attributes:&redef
Default:"<undefined>"

File containing our private key and our certificate.

See also: ssl_ca_certificate, ssl_passphrase

state_dir
Type:string
Attributes:&redef
Default:".state"

Specifies a directory for Bro to store its persistent state. All globals can be declared persistent via the &persistent attribute.

state_write_delay
Type:interval
Attributes:&redef
Default:10.0 msecs

Length of the delays inserted when storing state incrementally. To avoid dropping packets when serializing larger volumes of persistent state to disk, Bro interleaves the operation with continued packet processing.

stp_delta
Type:interval
Attributes:&redef

Internal to the stepping stone detector.

stp_idle_min
Type:interval
Attributes:&redef

Internal to the stepping stone detector.

suppress_local_output
Type:bool
Attributes:&redef
Default:F

Deprecated.

table_expire_delay
Type:interval
Attributes:&redef
Default:10.0 msecs

When expiring table entries, wait this amount of time before checking the next chunk of entries.

See also: table_expire_interval, table_incremental_step

table_expire_interval
Type:interval
Attributes:&redef
Default:10.0 secs

Check for expired table entries after this amount of time.

See also: table_incremental_step, table_expire_delay

table_incremental_step
Type:count
Attributes:&redef
Default:5000

When expiring/serializing table entries, don’t work on more than this many table entries at a time.

See also: table_expire_interval, table_expire_delay

tcp_SYN_ack_ok
Type:bool
Attributes:&redef
Default:T

If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if partial_connection_ok is false).

tcp_SYN_timeout
Type:interval
Attributes:&redef
Default:5.0 secs

Check up on the result of an initial SYN after this much time.

tcp_attempt_delay
Type:interval
Attributes:&redef
Default:5.0 secs

Wait this long upon seeing an initial SYN before timing out the connection attempt.

tcp_close_delay
Type:interval
Attributes:&redef
Default:5.0 secs

Upon seeing a normal connection close, flush state after this much time.

tcp_connection_linger
Type:interval
Attributes:&redef
Default:5.0 secs

When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long. Complain if the connection is reused before this much time has elapsed.

tcp_content_deliver_all_orig
Type:bool
Attributes:&redef
Default:F

If true, all TCP originator-side traffic is reported via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_deliver_all_resp
Type:bool
Attributes:&redef
Default:F

If true, all TCP responder-side traffic is reported via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_delivery_ports_orig
Type:table [port] of bool
Attributes:&redef
Default:{}

Defines destination TCP ports for which the contents of the originator stream should be delivered via tcp_contents.

See also: tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_delivery_ports_resp
Type:table [port] of bool
Attributes:&redef
Default:{}

Defines destination TCP ports for which the contents of the responder stream should be delivered via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_excessive_data_without_further_acks
Type:count
Attributes:&redef
Default:10485760

If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff. If set to zero, then we don’t ever give up. Ideally, Bro would track the current window on a connection and use it to infer that data has in fact gone too far, but for now we just make this quite beefy.

See also: tcp_max_initial_window, tcp_max_above_hole_without_any_acks

tcp_inactivity_timeout
Type:interval
Attributes:&redef
Default:5.0 mins

If a TCP connection is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: udp_inactivity_timeout, icmp_inactivity_timeout, set_inactivity_timeout

tcp_match_undelivered
Type:bool
Attributes:&redef
Default:T

If true, pass any undelivered to the signature engine before flushing the state. If a connection state is removed, there may still be some data waiting in the reassembler.

tcp_max_above_hole_without_any_acks
Type:count
Attributes:&redef
Default:4096

If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection. If set to zero, then we don’t ever give up.

See also: tcp_max_initial_window, tcp_excessive_data_without_further_acks

tcp_max_initial_window
Type:count
Attributes:&redef
Default:4096

Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks). Used to determine whether we must not be seeing our peer’s ACKs. Set to zero to turn off this determination.

See also: tcp_max_above_hole_without_any_acks, tcp_excessive_data_without_further_acks

tcp_partial_close_delay
Type:interval
Attributes:&redef
Default:3.0 secs

Generate a connection_partial_close event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.

tcp_reassembler_ports_orig
Type:set [port]
Attributes:&redef
Default:{}

For services without a handler, these sets define originator-side ports that still trigger reassembly.

See also: tcp_reassembler_ports_resp

tcp_reassembler_ports_resp
Type:set [port]
Attributes:&redef
Default:{}

For services without a handler, these sets define responder-side ports that still trigger reassembly.

See also: tcp_reassembler_ports_orig

tcp_reset_delay
Type:interval
Attributes:&redef
Default:5.0 secs

Upon seeing a RST, flush state after this much time.

tcp_session_timer
Type:interval
Attributes:&redef
Default:6.0 secs

After a connection has closed, wait this long for further activity before checking whether to time out its state.

tcp_storm_interarrival_thresh
Type:interval
Attributes:&redef
Default:1.0 sec

FINs/RSTs must come with this much time or less between them to be considered a “storm”.

See also: tcp_storm_thresh

tcp_storm_thresh
Type:count
Attributes:&redef
Default:1000

Number of FINs/RSTs in a row that constitute a “storm”. Storms are reported as weird via the notice framework, and they must also come within intervals of at most tcp_storm_interarrival_thresh.

See also: tcp_storm_interarrival_thresh

time_machine_profiling
Type:bool
Attributes:&redef
Default:F

If true, output profiling for Time-Machine queries.

timer_mgr_inactivity_timeout
Type:interval
Attributes:&redef
Default:1.0 min

Per-incident timer managers are drained after this amount of inactivity.

truncate_http_URI
Type:int
Attributes:&redef
Default:-1

Maximum length of HTTP URIs passed to events. Longer ones will be truncated to prevent over-long URIs (usually sent by worms) from slowing down event processing. A value of -1 means “do not truncate”.

See also: http_request

udp_content_deliver_all_orig
Type:bool
Attributes:&redef
Default:F

If true, all UDP originator-side traffic is reported via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp tcp_content_delivery_ports_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_resp, udp_contents

udp_content_deliver_all_resp
Type:bool
Attributes:&redef
Default:F

If true, all UDP responder-side traffic is reported via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp tcp_content_delivery_ports_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_contents

udp_content_delivery_ports_orig
Type:table [port] of bool
Attributes:&redef
Default:{}

Defines UDP destination ports for which the contents of the originator stream should be delivered via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, udp_contents

udp_content_delivery_ports_resp
Type:table [port] of bool
Attributes:&redef
Default:{}

Defines UDP destination ports for which the contents of the responder stream should be delivered via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_deliver_all_orig, udp_content_deliver_all_resp, udp_contents

udp_inactivity_timeout
Type:interval
Attributes:&redef
Default:1.0 min

If a UDP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: tcp_inactivity_timeout, icmp_inactivity_timeout, set_inactivity_timeout

use_conn_size_analyzer
Type:bool
Attributes:&redef
Default:T

Whether to use the ConnSize analyzer to count the number of packets and IP-level bytes transferred by each endpoint. If true, these values are returned in the connection’s endpoint record value.

watchdog_interval
Type:interval
Attributes:&redef
Default:10.0 secs

Bro’s watchdog interval.

Constants

CONTENTS_BOTH
Type:count
Default:3

Record both originator and responder contents.

CONTENTS_NONE
Type:count
Default:0

Turn off recording of contents.

CONTENTS_ORIG
Type:count
Default:1

Record originator contents.

CONTENTS_RESP
Type:count
Default:2

Record responder contents.

DNS_ADDL
Type:count
Default:3

An additional record.

DNS_ANS
Type:count
Default:1

An answer record.

DNS_AUTH
Type:count
Default:2

An authoritative record.

DNS_QUERY
Type:count
Default:0

A query. This shouldn’t occur, just for completeness.

ENDIAN_BIG
Type:count
Default:2

Big endian.

ENDIAN_CONFUSED
Type:count
Default:3

Tried to determine endian, but failed.

ENDIAN_LITTLE
Type:count
Default:1

Little endian.

ENDIAN_UNKNOWN
Type:count
Default:0

Endian not yet determined.

ICMP_UNREACH_ADMIN_PROHIB
Type:count
Default:13

Administratively prohibited.

ICMP_UNREACH_HOST
Type:count
Default:1

Host unreachable.

ICMP_UNREACH_NEEDFRAG
Type:count
Default:4

Fragment needed.

ICMP_UNREACH_NET
Type:count
Default:0

Network unreachable.

ICMP_UNREACH_PORT
Type:count
Default:3

Port unreachable.

ICMP_UNREACH_PROTOCOL
Type:count
Default:2

Protocol unreachable.

IPPROTO_AH
Type:count
Default:51

IPv6 authentication header.

IPPROTO_DSTOPTS
Type:count
Default:60

IPv6 destination options header.

IPPROTO_ESP
Type:count
Default:50

IPv6 encapsulating security payload header.

IPPROTO_FRAGMENT
Type:count
Default:44

IPv6 fragment header.

IPPROTO_HOPOPTS
Type:count
Default:0

IPv6 hop-by-hop-options header.

IPPROTO_ICMP
Type:count
Default:1

Control message protocol.

IPPROTO_ICMPV6
Type:count
Default:58

ICMP for IPv6.

IPPROTO_IGMP
Type:count
Default:2

Group management protocol.

IPPROTO_IP
Type:count
Default:0

Dummy for IP.

IPPROTO_IPIP
Type:count
Default:4

IP encapsulation in IP.

IPPROTO_IPV6
Type:count
Default:41

IPv6 header.

IPPROTO_MOBILITY
Type:count
Default:135

IPv6 mobility header.

IPPROTO_NONE
Type:count
Default:59

IPv6 no next header.

IPPROTO_RAW
Type:count
Default:255

Raw IP packet.

IPPROTO_ROUTING
Type:count
Default:43

IPv6 routing header.

IPPROTO_TCP
Type:count
Default:6

TCP.

IPPROTO_UDP
Type:count
Default:17

User datagram protocol.

LOGIN_STATE_AUTHENTICATE
Type:count
Default:0
LOGIN_STATE_CONFUSED
Type:count
Default:3
LOGIN_STATE_LOGGED_IN
Type:count
Default:1
LOGIN_STATE_SKIP
Type:count
Default:2
PEER_ID_NONE
Type:count
Default:0

Place-holder constant indicating “no peer”.

REMOTE_LOG_ERROR
Type:count
Default:2

Deprecated.

REMOTE_LOG_INFO
Type:count
Default:1

Deprecated.

REMOTE_SRC_CHILD
Type:count
Default:1

Message from the child process.

REMOTE_SRC_PARENT
Type:count
Default:2

Message from the parent process.

REMOTE_SRC_SCRIPT
Type:count
Default:3

Message from a policy script.

RPC_status
Type:table [rpc_status] of string
Default:
{
   [RPC_SUCCESS] = "ok",
   [RPC_PROG_UNAVAIL] = "prog unavail",
   [RPC_TIMEOUT] = "timeout",
   [RPC_GARBAGE_ARGS] = "garbage args",
   [RPC_SYSTEM_ERR] = "system err",
   [RPC_UNKNOWN_ERROR] = "unknown",
   [RPC_PROC_UNAVAIL] = "proc unavail",
   [RPC_PROG_MISMATCH] = "mismatch",
   [RPC_AUTH_ERROR] = "auth error"
}

Mapping of numerical RPC status codes to readable messages.

See also: pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, rpc_dialogue, rpc_reply

SNMP::OBJ_COUNTER32_TAG
Type:count
Default:65

Unsigned 32-bit integer.

SNMP::OBJ_COUNTER64_TAG
Type:count
Default:70

Unsigned 64-bit integer.

SNMP::OBJ_ENDOFMIBVIEW_TAG
Type:count
Default:130

A NULL value.

SNMP::OBJ_INTEGER_TAG
Type:count
Default:2

Signed 64-bit integer.

SNMP::OBJ_IPADDRESS_TAG
Type:count
Default:64

An IP address.

SNMP::OBJ_NOSUCHINSTANCE_TAG
Type:count
Default:129

A NULL value.

SNMP::OBJ_NOSUCHOBJECT_TAG
Type:count
Default:128

A NULL value.

SNMP::OBJ_OCTETSTRING_TAG
Type:count
Default:4

An octet string.

SNMP::OBJ_OID_TAG
Type:count
Default:6

An Object Identifier.

SNMP::OBJ_OPAQUE_TAG
Type:count
Default:68

An octet string.

SNMP::OBJ_TIMETICKS_TAG
Type:count
Default:67

Unsigned 32-bit integer.

SNMP::OBJ_UNSIGNED32_TAG
Type:count
Default:66

Unsigned 32-bit integer.

SNMP::OBJ_UNSPECIFIED_TAG
Type:count
Default:5

A NULL value.

TCP_CLOSED
Type:count
Default:5

Endpoint has closed connection.

TCP_ESTABLISHED
Type:count
Default:4

Endpoint has finished initial handshake regularly.

TCP_INACTIVE
Type:count
Default:0

Endpoint is still inactive.

TCP_PARTIAL
Type:count
Default:3

Endpoint has sent data but no initial SYN.

TCP_RESET
Type:count
Default:6

Endpoint has sent RST.

TCP_SYN_ACK_SENT
Type:count
Default:2

Endpoint has sent SYN/ACK.

TCP_SYN_SENT
Type:count
Default:1

Endpoint has sent SYN.

TH_ACK
Type:count
Default:16

ACK.

TH_FIN
Type:count
Default:1

FIN.

TH_FLAGS
Type:count
Default:63

Mask combining all flags.

TH_PUSH
Type:count
Default:8

PUSH.

TH_RST
Type:count
Default:4

RST.

TH_SYN
Type:count
Default:2

SYN.

TH_URG
Type:count
Default:32

URG.

UDP_ACTIVE
Type:count
Default:1

Endpoint has sent something.

UDP_INACTIVE
Type:count
Default:0

Endpoint is still inactive.

trace_output_file
Type:string
Default:""

Holds the filename of the trace file given with -w (empty if none).

See also: record_all_packets

State Variables

capture_filters
Type:table [string] of string
Attributes:&redef
Default:{}

Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique). If Bro is not configured with PacketFilter::enable_auto_protocol_capture_filters, all packets matching at least one of the filters in this table (and all in restrict_filters) will be analyzed.

See also: PacketFilter, PacketFilter::enable_auto_protocol_capture_filters, PacketFilter::unrestricted_filter, restrict_filters

direct_login_prompts
Type:set [string]
Attributes:&redef
Default:{}

TODO.

discarder_maxlen
Type:count
Attributes:&redef
Default:128

Maximum length of payload passed to discarder functions.

See also: discarder_check_tcp, discarder_check_udp, discarder_check_icmp, discarder_check_ip

dns_max_queries
Type:count
Default:5

If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. Set to 0 to turn off this functionality.

dns_skip_addl
Type:set [addr]
Attributes:&redef
Default:{}

For DNS servers in these sets, omit processing the ADDL records they include in their replies.

See also: dns_skip_all_addl, dns_skip_auth

dns_skip_all_addl
Type:bool
Attributes:&redef
Default:F

If true, all DNS ADDL records are skipped.

See also: dns_skip_all_auth, dns_skip_addl

dns_skip_all_auth
Type:bool
Attributes:&redef
Default:F

If true, all DNS AUTH records are skipped.

See also: dns_skip_all_addl, dns_skip_auth

dns_skip_auth
Type:set [addr]
Attributes:&redef
Default:{}

For DNS servers in these sets, omit processing the AUTH records they include in their replies.

See also: dns_skip_all_auth, dns_skip_addl

done_with_network
Type:bool
Default:F
generate_OS_version_event
Type:set [subnet]
Attributes:&redef
Default:{}

Defines for which subnets we should do passive fingerprinting.

See also: OS_version_found

http_entity_data_delivery_size
Type:count
Attributes:&redef
Default:1500

Maximum number of HTTP entity data delivered to events. The amount of data can be limited for better performance, zero disables truncation.

See also: http_entity_data, skip_http_entity_data, skip_http_data

interfaces
Type:string
Attributes:&add_func = add_interface &redef
Default:""

Network interfaces to listen on. Use redef interfaces += "eth0" to extend.

irc_servers
Type:set [addr]
Attributes:&redef
Default:{}

Deprecated.

Todo

Remove. It’s still declared internally but doesn’t seem used anywhere else.

load_sample_freq
Type:count
Attributes:&redef
Default:20

Rate at which to generate load_sample events. As all events, the event is only generated if you’ve also defined a load_sample handler. Units are inverse number of packets; e.g., a value of 20 means “roughly one in every 20 packets”.

See also: load_sample

login_failure_msgs
Type:set [string]
Attributes:&redef
Default:{}

TODO.

login_non_failure_msgs
Type:set [string]
Attributes:&redef
Default:{}

TODO.

login_prompts
Type:set [string]
Attributes:&redef
Default:{}

TODO.

login_success_msgs
Type:set [string]
Attributes:&redef
Default:{}

TODO.

login_timeouts
Type:set [string]
Attributes:&redef
Default:{}

TODO.

mime_segment_length
Type:count
Attributes:&redef
Default:1024

The length of MIME data segments delivered to handlers of mime_segment_data.

See also: mime_segment_data, mime_segment_overlap_length

mime_segment_overlap_length
Type:count
Attributes:&redef
Default:0

The number of bytes of overlap between successive segments passed to mime_segment_data.

pkt_profile_file
Type:file
Attributes:&redef

File where packet profiles are logged.

See also: pkt_profile_modes, pkt_profile_freq, pkt_profile_mode

profiling_file
Type:file
Attributes:&redef
Default:
file "prof.log" of string

Write profiling info into this file in regular intervals. The easiest way to activate profiling is loading policy/misc/profiling.bro.

See also: profiling_interval, expensive_profiling_multiple, segment_profiling

restrict_filters
Type:table [string] of string
Attributes:&redef
Default:{}

Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).

See also: PacketFilter, PacketFilter::enable_auto_protocol_capture_filters, PacketFilter::unrestricted_filter, capture_filters

samba_cmds
Type:table [count] of string
Attributes:&redef &default = function &optional
Default:{}

Maps SMB command numbers to descriptive names.

secondary_filters
Type:table [string] of event (filter: string, pkt: pkt_hdr)
Attributes:&redef
Default:{}

Definition of “secondary filters”. A secondary filter is a BPF filter given as index in this table. For each such filter, the corresponding event is raised for all matching packets.

signature_files
Type:string
Attributes:&add_func = add_signature_file &redef
Default:""

Signature files to read. Use redef signature_files  += "foo.sig" to extend. Signature files added this way will be searched relative to BROPATH. Using the @load-sigs directive instead is preferred since that can search paths relative to the current script.

skip_authentication
Type:set [string]
Attributes:&redef
Default:{}

TODO.

stp_skip_src
Type:set [addr]
Attributes:&redef
Default:{}

Internal to the stepping stone detector.

Types

EncapsulatingConnVector
Type:vector

A type alias for a vector of encapsulating “connections”, i.e. for when there are tunnels within tunnels.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

IPAddrAnonymization
Type:

enum

KEEP_ORIG_ADDR
SEQUENTIALLY_NUMBERED
RANDOM_MD5
PREFIX_PRESERVING_A50
PREFIX_PRESERVING_MD5

Deprecated.

See also: anonymize_addr

IPAddrAnonymizationClass
Type:

enum

ORIG_ADDR
RESP_ADDR
OTHER_ADDR

Deprecated.

See also: anonymize_addr

JSON::TimestampFormat
Type:

enum

JSON::TS_EPOCH

Timestamps will be formatted as UNIX epoch doubles. This is the format that Bro typically writes out timestamps.

JSON::TS_MILLIS

Timestamps will be formatted as unsigned integers that represent the number of milliseconds since the UNIX epoch.

JSON::TS_ISO8601

Timestamps will be formatted in the ISO8601 DateTime format. Subseconds are also included which isn’t actually part of the standard but most consumers that parse ISO8601 seem to be able to cope with that.

ModbusCoils
Type:vector
ModbusHeaders
Type:

record

tid: count

pid: count

uid: count

function_code: count

ModbusRegisters
Type:vector
NFS3::delobj_reply_t
Type:

record

dir_pre_attr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ dir.

dir_post_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS reply for remove, rmdir. Corresponds to wcc_data in the spec.

See also: nfs_proc_remove, nfs_proc_rmdir

NFS3::direntry_t
Type:

record

fileid: count

E.g., inode number.

fname: string

Filename.

cookie: count

Cookie value.

attr: NFS3::fattr_t &optional

readdirplus: the fh attributes for the entry.

fh: string &optional

readdirplus: the fh for the entry

NFS direntry. fh and attr are used for readdirplus. However, even for readdirplus they may not be filled out.

See also: NFS3::direntry_vec_t, NFS3::readdir_reply_t

NFS3::direntry_vec_t
Type:vector

Vector of NFS direntry.

See also: NFS3::readdir_reply_t

NFS3::diropargs_t
Type:

record

dirfh: string

The file handle of the directory.

fname: string

The name of the file we are interested in.

NFS readdir arguments.

See also: nfs_proc_readdir

NFS3::fattr_t
Type:

record

ftype: NFS3::file_type_t

File type.

mode: count

Mode

nlink: count

Number of links.

uid: count

User ID.

gid: count

Group ID.

size: count

Size.

used: count

TODO.

rdev1: count

TODO.

rdev2: count

TODO.

fsid: count

TODO.

fileid: count

TODO.

atime: time

Time of last access.

mtime: time

Time of last modification.

ctime: time

Time of creation.

NFS file attributes. Field names are based on RFC 1813.

See also: nfs_proc_getattr

NFS3::fsstat_t
Type:

record

attrs: NFS3::fattr_t &optional

Attributes.

tbytes: double

TODO.

fbytes: double

TODO.

abytes: double

TODO.

tfiles: double

TODO.

ffiles: double

TODO.

afiles: double

TODO.

invarsec: interval

TODO.

NFS fsstat.

NFS3::info_t
Type:

record

rpc_stat: rpc_status

The RPC status.

nfs_stat: NFS3::status_t

The NFS status.

req_start: time

The start time of the request.

req_dur: interval

The duration of the request.

req_len: count

The length in bytes of the request.

rep_start: time

The start time of the reply.

rep_dur: interval

The duration of the reply.

rep_len: count

The length in bytes of the reply.

Record summarizing the general results and status of NFSv3 request/reply pairs.

Note that when rpc_stat or nfs_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time and duration values might not be fully accurate. For TCP, we record times when the corresponding chunk of data is delivered to the analyzer. Depending on the reassembler, this might be well after the first packet of the request was received.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status

NFS3::lookup_reply_t
Type:

record

fh: string &optional

File handle of object looked up.

obj_attr: NFS3::fattr_t &optional

Optional attributes associated w/ file

dir_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS lookup reply. If the lookup failed, dir_attr may be set. If the lookup succeeded, fh is always set and obj_attr and dir_attr may be set.

See also: nfs_proc_lookup

NFS3::newobj_reply_t
Type:

record

fh: string &optional

File handle of object created.

obj_attr: NFS3::fattr_t &optional

Optional attributes associated w/ new object.

dir_pre_attr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ dir.

dir_post_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS reply for create, mkdir, and symlink. If the proc failed, dir_*_attr may be set. If the proc succeeded, fh and the attr‘s may be set. Note: no guarantee that fh is set after success.

See also: nfs_proc_create, nfs_proc_mkdir

NFS3::read_reply_t
Type:

record

attr: NFS3::fattr_t &optional

Attributes.

size: count &optional

Number of bytes read.

eof: bool &optional

Sid the read end at EOF.

data: string &optional

The actual data; not yet implemented.

NFS read reply. If the lookup fails, attr may be set. If the lookup succeeds, attr may be set and all other fields are set.

NFS3::readargs_t
Type:

record

fh: string

File handle to read from.

offset: count

Offset in file.

size: count

Number of bytes to read.

NFS read arguments.

See also: nfs_proc_read

NFS3::readdir_reply_t
Type:

record

isplus: bool

True if the reply for a readdirplus request.

dir_attr: NFS3::fattr_t &optional

Directory attributes.

cookieverf: count &optional

TODO.

entries: NFS3::direntry_vec_t &optional

Returned directory entries.

eof: bool

If true, no more entries in directory.

NFS readdir reply. Used for readdir and readdirplus. If an is returned, dir_attr might be set. On success, dir_attr may be set, all others must be set.

NFS3::readdirargs_t
Type:

record

isplus: bool

Is this a readdirplus request?

dirfh: string

The directory filehandle.

cookie: count

Cookie / pos in dir; 0 for first call.

cookieverf: count

The cookie verifier.

dircount: count

“count” field for readdir; maxcount otherwise (in bytes).

maxcount: count &optional

Only used for readdirplus. in bytes.

NFS readdir arguments. Used for both readdir and readdirplus.

See also: nfs_proc_readdir

Type:

record

attr: NFS3::fattr_t &optional

Attributes.

nfspath: string &optional

Contents of the symlink; in general a pathname as text.

NFS readline reply. If the request fails, attr may be set. If the request succeeds, attr may be set and all other fields are set.

See also: nfs_proc_readlink

NFS3::wcc_attr_t
Type:

record

size: count

The size.

atime: time

Access time.

mtime: time

Modification time.

NFS wcc attributes.

See also: NFS3::write_reply_t

NFS3::write_reply_t
Type:

record

preattr: NFS3::wcc_attr_t &optional

Pre operation attributes.

postattr: NFS3::fattr_t &optional

Post operation attributes.

size: count &optional

Size.

commited: NFS3::stable_how_t &optional

TODO.

verf: count &optional

Write verifier cookie.

NFS write reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr may be set and all other fields are set.

See also: nfs_proc_write

NFS3::writeargs_t
Type:

record

fh: string

File handle to write to.

offset: count

Offset in file.

size: count

Number of bytes to write.

stable: NFS3::stable_how_t

How and when data is commited.

data: string &optional

The actual data; not implemented yet.

NFS write arguments.

See also: nfs_proc_write

NetStats
Type:

record

pkts_recvd: count &default = 0 &optional

Packets received by Bro.

pkts_dropped: count &default = 0 &optional

Packets reported dropped by the system.

pkts_link: count &default = 0 &optional

Packets seen on the link. Note that this may differ from pkts_recvd because of a potential capture_filter. See base/frameworks/packet-filter/main.bro. Depending on the packet capture system, this value may not be available and will then be always set to zero.

Packet capture statistics. All counts are cumulative.

See also: net_stats

OS_version
Type:

record

genre: string

Linux, Windows, AIX, ...

detail: string

Kernel version or such.

dist: count

How far is the host away from the sensor (TTL)?.

match_type: OS_version_inference

Quality of the match.

Passive fingerprinting match.

See also: OS_version_found

OS_version_inference
Type:

enum

direct_inference

TODO.

generic_inference

TODO.

fuzzy_inference

TODO.

Quality of passive fingerprinting matches.

See also: OS_version

PcapFilterID
Type:

enum

None
PacketFilter::DefaultPcapFilter

(present if base/frameworks/packet-filter/main.bro is loaded)

PacketFilter::FilterTester

(present if base/frameworks/packet-filter/main.bro is loaded)

Enum type identifying dynamic BPF filters. These are used by precompile_pcap_filter and precompile_pcap_filter.

RADIUS::AttributeList
Type:vector
RADIUS::Attributes
Type:table [count] of RADIUS::AttributeList
RADIUS::Message
Type:

record

code: count

The type of message (Access-Request, Access-Accept, etc.).

trans_id: count

The transaction ID.

authenticator: string

The “authenticator” string.

attributes: RADIUS::Attributes &optional

Any attributes.

SNMP::Binding
Type:

record

oid: string

value: SNMP::ObjectValue

The VarBind data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.

SNMP::Bindings
Type:vector

A VarBindList data structure from either RFC 1157 or RFC 3416. A sequences of SNMP::Binding, which maps an OIDs to values.

SNMP::BulkPDU
Type:

record

request_id: int

non_repeaters: count

max_repititions: count

bindings: SNMP::Bindings

A BulkPDU data structure from RFC 3416.

SNMP::Header
Type:

record

version: count

v1: SNMP::HeaderV1 &optional

Set when version is 0.

v2: SNMP::HeaderV2 &optional

Set when version is 1.

v3: SNMP::HeaderV3 &optional

Set when version is 3.

A generic SNMP header data structure that may include data from any version of SNMP. The value of the version field determines what header field is initialized.

SNMP::HeaderV1
Type:

record

community: string

The top-level message data structure of an SNMPv1 datagram, not including the PDU data. See RFC 1157.

SNMP::HeaderV2
Type:

record

community: string

The top-level message data structure of an SNMPv2 datagram, not including the PDU data. See RFC 1901.

SNMP::HeaderV3
Type:

record

id: count

max_size: count

flags: count

auth_flag: bool

priv_flag: bool

reportable_flag: bool

security_model: count

security_params: string

pdu_context: SNMP::ScopedPDU_Context &optional

The top-level message data structure of an SNMPv3 datagram, not including the PDU data. See RFC 3412.

SNMP::ObjectValue
Type:

record

tag: count

oid: string &optional

signed: int &optional

unsigned: count &optional

address: addr &optional

octets: string &optional

A generic SNMP object value, that may include any of the valid ObjectSyntax values from RFC 1155 or RFC 3416. The value is decoded whenever possible and assigned to the appropriate field, which can be determined from the value of the tag field. For tags that can’t be mapped to an appropriate type, the octets field holds the BER encoded ASN.1 content if there is any (though, octets is may also be used for other tags such as OCTET STRINGS or Opaque). Null values will only have their corresponding tag value set.

SNMP::PDU
Type:

record

request_id: int

error_status: int

error_index: int

bindings: SNMP::Bindings

A PDU data structure from either RFC 1157 or RFC 3416.

SNMP::ScopedPDU_Context
Type:

record

engine_id: string

name: string

The ScopedPduData data structure of an SNMPv3 datagram, not including the PDU data (i.e. just the “context” fields). See RFC 3412.

SNMP::TrapPDU
Type:

record

enterprise: string

agent: addr

generic_trap: int

specific_trap: int

time_stamp: count

bindings: SNMP::Bindings

A Trap-PDU data structure from RFC 1157.

SOCKS::Address
Type:

record

host: addr &optional &log

name: string &optional &log

Attributes:

&log

This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.

SYN_packet
Type:

record

is_orig: bool

True if the packet was sent the connection’s originator.

DF: bool

True if the don’t fragment is set in the IP header.

ttl: count

The IP header’s time-to-live.

size: count

The size of the packet’s payload as specified in the IP header.

win_size: count

The window size from the TCP header.

win_scale: int

The window scale option if present, or -1 if not.

MSS: count

The maximum segment size if present, or 0 if not.

SACK_OK: bool

True if the SACK option is present.

Fields of a SYN packet.

See also: connection_SYN_packet

Tunnel::EncapsulatingConn
Type:

record

cid: conn_id &log

The 4-tuple of the encapsulating “connection”. In case of an IP-in-IP tunnel the ports will be set to 0. The direction (i.e., orig and resp) are set according to the first tunneled packet seen and not according to the side that established the tunnel.

tunnel_type: Tunnel::Type &log

The type of tunnel.

uid: string &optional &log

A globally unique identifier that, for non-IP-in-IP tunnels, cross-references the uid field of connection.

Attributes:

&log

Records the identity of an encapsulating parent of a tunneled connection.

Unified2::IDSEvent
Type:

record

sensor_id: count

event_id: count

ts: time

signature_id: count

generator_id: count

signature_revision: count

classification_id: count

priority_id: count

src_ip: addr

dst_ip: addr

src_p: port

dst_p: port

impact_flag: count

impact: count

blocked: count

mpls_label: count &optional

Not available in “legacy” IDS events.

vlan_id: count &optional

Not available in “legacy” IDS events.

packet_action: count &optional

Only available in “legacy” IDS events.

Unified2::Packet
Type:

record

sensor_id: count

event_id: count

event_second: count

packet_ts: time

link_type: count

data: string

X509::BasicConstraints
Type:

record

ca: bool &log

CA flag set?

path_len: count &optional &log

Maximum path length

Attributes:

&log

X509::Certificate
Type:

record

version: count &log

Version number.

serial: string &log

Serial number.

subject: string &log

Subject.

issuer: string &log

Issuer.

not_valid_before: time &log

Timestamp before when certificate is not valid.

not_valid_after: time &log

Timestamp after when certificate is not valid.

key_alg: string &log

Name of the key algorithm

sig_alg: string &log

Name of the signature algorithm

key_type: string &optional &log

Key type, if key parseable by openssl (either rsa, dsa or ec)

key_length: count &optional &log

Key length in bits

exponent: string &optional &log

Exponent, if RSA-certificate

curve: string &optional &log

Curve, if EC-certificate

Attributes:

&log

X509::Extension
Type:

record

name: string

Long name of extension. oid if name not known

short_name: string &optional

Short name of extension if known

oid: string

Oid of extension

critical: bool

True if extension is critical

value: string

Extension content parsed to string for known extensions. Raw data otherwise.

X509::Result
Type:

record

result: int

OpenSSL result code

result_string: string

Result as string

chain_certs: vector &optional

References to the final certificate chain, if verification successful. End-host certificate is first.

Result of an X509 certificate chain verification

X509::SubjectAlternativeName
Type:

record

dns: string_vec &optional &log

List of DNS entries in SAN

uri: string_vec &optional &log

List of URI entries in SAN

email: string_vec &optional &log

List of email entries in SAN

ip: addr_vec &optional &log

List of IP entries in SAN

other_fields: bool

True if the certificate contained other, not recognized or parsed name fields

addr_set
Type:set [addr]

A set of addresses.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

addr_vec
Type:vector

A vector of addresses.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

any_vec
Type:vector

A vector of any, used by some builtin functions to store a list of varying types.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

backdoor_endp_stats
Type:

record

is_partial: bool

num_pkts: count

num_8k0_pkts: count

num_8k4_pkts: count

num_lines: count

num_normal_lines: count

num_bytes: count

num_7bit_ascii: count

Deprecated.

bittorrent_benc_dir
Type:table [string] of bittorrent_benc_value

A table of BitTorrent “benc” values.

See also: bt_tracker_response

bittorrent_benc_value
Type:

record

i: int &optional

TODO.

s: string &optional

TODO.

d: string &optional

TODO.

l: string &optional

TODO.

BitTorrent “benc” value. Note that “benc” = Bencode (“Bee-Encode”), per http://en.wikipedia.org/wiki/Bencode.

See also: bittorrent_benc_dir

bittorrent_peer
Type:

record

h: addr

The peer’s address.

p: port

The peer’s port.

A BitTorrent peer.

See also: bittorrent_peer_set

bittorrent_peer_set
Type:set [bittorrent_peer]

A set of BitTorrent peers.

See also: bt_tracker_response

bro_resources
Type:

record

version: string

Bro version string.

debug: bool

True if compiled with –enable-debug.

start_time: time

Start time of process.

real_time: interval

Elapsed real time since Bro started running.

user_time: interval

User CPU seconds.

system_time: interval

System CPU seconds.

mem: count

Maximum memory consumed, in KB.

minor_faults: count

Page faults not requiring actual I/O.

major_faults: count

Page faults requiring actual I/O.

num_swap: count

Times swapped out.

blocking_input: count

Blocking input operations.

blocking_output: count

Blocking output operations.

num_context: count

Number of involuntary context switches.

num_TCP_conns: count

Current number of TCP connections in memory.

num_UDP_conns: count

Current number of UDP flows in memory.

num_ICMP_conns: count

Current number of ICMP flows in memory.

num_fragments: count

Current number of fragments pending reassembly.

num_packets: count

Total number of packets processed to date.

num_timers: count

Current number of pending timers.

num_events_queued: count

Total number of events queued so far.

num_events_dispatched: count

Total number of events dispatched so far.

max_TCP_conns: count

Maximum number of concurrent TCP connections so far.

max_UDP_conns: count

Maximum number of concurrent UDP connections so far.

max_ICMP_conns: count

Maximum number of concurrent ICMP connections so far.

max_fragments: count

Maximum number of concurrently buffered fragments so far.

max_timers: count

Maximum number of concurrent timers pending so far.

Statistics about Bro’s resource consumption.

See also: resource_usage

Note

All process-level values refer to Bro’s main process only, not to the child process it spawns for doing communication.

bt_tracker_headers
Type:table [string] of string

Header table type used by BitTorrent analyzer.

See also: bt_tracker_request, bt_tracker_response, bt_tracker_response_not_ok

call_argument
Type:

record

name: string

The name of the parameter.

type_name: string

The name of the parameters’s type.

default_val: any &optional

The value of the &default attribute if defined.

value: any &optional

The value of the parameter as passed into a given call instance. Might be unset in the case a &default attribute is defined.

Meta-information about a parameter to a function/event.

See also: call_argument_vector, new_event

call_argument_vector
Type:vector

Vector type used to capture parameters of a function/event call.

See also: call_argument, new_event

conn_id
Type:

record

orig_h: addr &log

The originator’s IP address.

orig_p: port &log

The originator’s port number.

resp_h: addr &log

The responder’s IP address.

resp_p: port &log

The responder’s port number.

Attributes:

&log

A connection’s identifying 4-tuple of endpoints and ports.

Note

It’s actually a 5-tuple: the transport-layer protocol is stored as part of the port values, orig_p and resp_p, and can be extracted from them with get_port_transport_proto.

connection
Type:

record

id: conn_id

The connection’s identifying 4-tuple.

orig: endpoint

Statistics about originator side.

resp: endpoint

Statistics about responder side.

start_time: time

The timestamp of the connection’s first packet.

duration: interval

The duration of the conversation. Roughly speaking, this is the interval between first and last data packet (low-level TCP details may adjust it somewhat in ambiguous cases).

service: set [string]

The set of services the connection is using as determined by Bro’s dynamic protocol detection. Each entry is the label of an analyzer that confirmed that it could parse the connection payload. While typically, there will be at most one entry for each connection, in principle it is possible that more than one protocol analyzer is able to parse the same data. If so, all will be recorded. Also note that the recorded services are independent of any transport-level protocols.

addl: string

Deprecated.

hot: count

Deprecated.

history: string

State history of connections. See history in Conn::Info.

uid: string

A globally unique connection identifier. For each connection, Bro creates an ID that is very likely unique across independent Bro runs. These IDs can thus be used to tag and locate information associated with that connection.

tunnel: EncapsulatingConnVector &optional

If the connection is tunneled, this field contains information about the encapsulating “connection(s)” with the outermost one starting at index zero. It’s also always the first such encapsulation seen for the connection unless the tunnel_changed event is handled and reassigns this field to the new encapsulation.

dpd: DPD::Info &optional

(present if base/frameworks/dpd/main.bro is loaded)

conn: Conn::Info &optional

(present if base/protocols/conn/main.bro is loaded)

extract_orig: bool &default = Conn::default_extract &optional

(present if base/protocols/conn/contents.bro is loaded)

extract_resp: bool &default = Conn::default_extract &optional

(present if base/protocols/conn/contents.bro is loaded)

dhcp: DHCP::Info &optional

(present if base/protocols/dhcp/main.bro is loaded)

dnp3: DNP3::Info &optional

(present if base/protocols/dnp3/main.bro is loaded)

dns: DNS::Info &optional

(present if base/protocols/dns/main.bro is loaded)

dns_state: DNS::State &optional

(present if base/protocols/dns/main.bro is loaded)

ftp: FTP::Info &optional

(present if base/protocols/ftp/main.bro is loaded)

ftp_data_reuse: bool &default = F &optional

(present if base/protocols/ftp/main.bro is loaded)

ssl: SSL::Info &optional

(present if base/protocols/ssl/main.bro is loaded)

http: HTTP::Info &optional

(present if base/protocols/http/main.bro is loaded)

http_state: HTTP::State &optional

(present if base/protocols/http/main.bro is loaded)

irc: IRC::Info &optional

(present if base/protocols/irc/main.bro is loaded)

IRC session information.

modbus: Modbus::Info &optional

(present if base/protocols/modbus/main.bro is loaded)

radius: table [count] of RADIUS::Info &optional &write_expire = RADIUS::expiration_interval &expire_func = RADIUS::expire

(present if base/protocols/radius/main.bro is loaded)

snmp: SNMP::Info &optional

(present if base/protocols/snmp/main.bro is loaded)

smtp: SMTP::Info &optional

(present if base/protocols/smtp/main.bro is loaded)

smtp_state: SMTP::State &optional

(present if base/protocols/smtp/main.bro is loaded)

socks: SOCKS::Info &optional

(present if base/protocols/socks/main.bro is loaded)

ssh: SSH::Info &optional

(present if base/protocols/ssh/main.bro is loaded)

syslog: Syslog::Info &optional

(present if base/protocols/syslog/main.bro is loaded)

resp_hostname: string &optional

(present if policy/misc/app-stats/main.bro is loaded)

known_services_done: bool &default = F &optional

(present if policy/protocols/conn/known-services.bro is loaded)

A connection. This is Bro’s basic connection type describing IP- and transport-layer information about the conversation. Note that Bro uses a liberal interpretation of “connection” and associates instances of this type also with UDP and ICMP flows.

count_set
Type:set [count]

A set of counts.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

dhcp_msg
Type:

record

op: count

Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY

m_type: count

The type of DHCP message.

xid: count

Transaction ID of a DHCP session.

h_addr: string

Hardware address of the client.

ciaddr: addr

Original IP address of the client.

yiaddr: addr

IP address assigned to the client.

A DHCP message.

See also: dhcp_ack, dhcp_decline, dhcp_discover, dhcp_inform, dhcp_nak, dhcp_offer, dhcp_release, dhcp_request

dhcp_router_list
Type:table [count] of addr

A list of router addresses offered by a DHCP server.

See also: dhcp_ack, dhcp_offer

dns_answer
Type:

record

answer_type: count

Answer type. One of DNS_QUERY, DNS_ANS, DNS_AUTH and DNS_ADDL.

query: string

Query.

qtype: count

Query type.

qclass: count

Query class.

TTL: interval

Time-to-live.

The general part of a DNS reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TXT_reply, dns_WKS_reply

dns_edns_additional
Type:

record

query: string

Query.

qtype: count

Query type.

t: count

TODO.

payload_size: count

TODO.

extended_rcode: count

Extended return code.

version: count

Version.

z_field: count

TODO.

TTL: interval

Time-to-live.

is_query: count

TODO.

An additional DNS EDNS record.

See also: dns_EDNS_addl

dns_mapping
Type:

record

creation_time: time

The time when the mapping was created, which corresponds to when the DNS query was sent out.

req_host: string

If the mapping is the result of a name lookup, the queried host name; otherwise empty.

req_addr: addr

If the mapping is the result of a pointer lookup, the queried address; otherwise null.

valid: bool

True if the lookup returned success. Only then are the result fields valid.

hostname: string

If the mapping is the result of a pointer lookup, the resolved hostname; otherwise empty.

addrs: addr_set

If the mapping is the result of an address lookup, the resolved address(es); otherwise empty.

dns_msg
Type:

record

id: count

Transaction ID.

opcode: count

Operation code.

rcode: count

Return code.

QR: bool

Query response flag.

AA: bool

Authoritative answer flag.

TC: bool

Truncated packet flag.

RD: bool

Recursion desired flag.

RA: bool

Recursion available flag.

Z: count

TODO.

num_queries: count

Number of query records.

num_answers: count

Number of answer records.

num_auth: count

Number of authoritative records.

num_addl: count

Number of additional records.

A DNS message.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_message, dns_query_reply, dns_rejected, dns_request

dns_soa
Type:

record

mname: string

Primary source of data for zone.

rname: string

Mailbox for responsible person.

serial: count

Version number of zone.

refresh: interval

Seconds before refreshing.

retry: interval

How long before retrying failed refresh.

expire: interval

When zone no longer authoritative.

minimum: interval

Minimum TTL to use when exporting.

A DNS SOA record.

See also: dns_SOA_reply

dns_tsig_additional
Type:

record

query: string

Query.

qtype: count

Query type.

alg_name: string

Algorithm name.

sig: string

Signature.

time_signed: time

Time when signed.

fudge: time

TODO.

orig_id: count

TODO.

rr_error: count

TODO.

is_query: count

TODO.

An additional DNS TSIG record.

bro:see:: dns_TSIG_addl

endpoint
Type:

record

size: count

Logical size of data sent (for TCP: derived from sequence numbers).

state: count

Endpoint state. For a TCP connection, one of the constants: TCP_INACTIVE TCP_SYN_SENT TCP_SYN_ACK_SENT TCP_PARTIAL TCP_ESTABLISHED TCP_CLOSED TCP_RESET. For UDP, one of UDP_ACTIVE and UDP_INACTIVE.

num_pkts: count &optional

Number of packets sent. Only set if use_conn_size_analyzer is true.

num_bytes_ip: count &optional

Number of IP-level bytes sent. Only set if use_conn_size_analyzer is true.

flow_label: count

The current IPv6 flow label that the connection endpoint is using. Always 0 if the connection is over IPv4.

Statistics about a connection endpoint.

See also: connection

endpoint_stats
Type:

record

num_pkts: count

Number of packets.

num_rxmit: count

Number of retransmissions.

num_rxmit_bytes: count

Number of retransmitted bytes.

num_in_order: count

Number of in-order packets.

num_OO: count

Number of out-of-order packets.

num_repl: count

Number of replicated packets (last packet was sent again).

endian_type: count

Endian type used by the endpoint, if it could be determined from the sequence numbers used. This is one of ENDIAN_UNKNOWN, ENDIAN_BIG, ENDIAN_LITTLE, and ENDIAN_CONFUSED.

Statistics about what a TCP endpoint sent.

See also: conn_stats

entropy_test_result
Type:

record

entropy: double

Information density.

chi_square: double

Chi-Square value.

mean: double

Arithmetic Mean.

monte_carlo_pi: double

Monte-carlo value for pi.

serial_correlation: double

Serial correlation coefficient.

Computed entropy values. The record captures a number of measures that are computed in parallel. See A Pseudorandom Number Sequence Test Program for more information, Bro uses the same code.

See also: entropy_test_add, entropy_test_finish, entropy_test_init, find_entropy

event_peer
Type:

record

id: peer_id

Locally unique ID of peer (returned by connect).

host: addr

The IP address of the peer.

p: port

Either the port we connected to at the peer; or our port the peer connected to if the session is remotely initiated.

is_local: bool

True if this record describes the local process.

descr: string

The peer’s peer_description.

class: string &optional

The self-assigned class of the peer. See Communication::Node.

A communication peer.

See also: complete_handshake, disconnect, finished_send_state, get_event_peer, get_local_event_peer, remote_capture_filter, remote_connection_closed, remote_connection_error, remote_connection_established, remote_connection_handshake_done, remote_event_registered, remote_log_peer, remote_pong, request_remote_events, request_remote_logs, request_remote_sync, send_capture_filter, send_current_packet, send_id, send_ping, send_state, set_accept_state, set_compression_level

fa_file
Type:

record

id: string

An identifier associated with a single file.

parent_id: string &optional

Identifier associated with a container file from which this one was extracted as part of the file analysis.

source: string

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.

is_orig: bool &optional

If the source of this file is a network connection, this field may be set to indicate the directionality.

conns: table [conn_id] of connection &optional

The set of connections over which the file was transferred.

last_active: time

The time at which the last activity for the file was seen.

seen_bytes: count &default = 0 &optional

Number of bytes provided to the file analysis engine for the file.

total_bytes: count &optional

Total number of bytes that are supposed to comprise the full file.

missing_bytes: count &default = 0 &optional

The number of bytes in the file stream that were completely missed during the process of analysis e.g. due to dropped packets.

overflow_bytes: count &default = 0 &optional

The number of not all-in-sequence bytes in the file stream that were delivered to file analyzers due to reassembly buffer overflow.

timeout_interval: interval &default = default_file_timeout_interval &optional

The amount of time between receiving new data for this file that the analysis engine will wait before giving up on it.

bof_buffer_size: count &default = default_file_bof_buffer_size &optional

The number of bytes at the beginning of a file to save for later inspection in the bof_buffer field.

bof_buffer: string &optional

The content of the beginning of a file up to bof_buffer_size bytes. This is also the buffer that’s used for file/mime type detection.

mime_type: string &optional

The mime type of the strongest file magic signature matches against the data chunk in bof_buffer, or in the cases where no buffering of the beginning of file occurs, an initial guess of the mime type based on the first data seen.

mime_types: mime_matches &optional

All mime types that matched file magic signatures against the data chunk in bof_buffer, in order of their strength value.

info: Files::Info &optional

(present if base/frameworks/files/main.bro is loaded)

u2_events: table [count] of Unified2::IDSEvent &optional &create_expire = 5.0 secs &expire_func = function

(present if base/files/unified2/main.bro is loaded)

Recently received IDS events. This is primarily used for tying together Unified2 events and packets.

logcert: bool &default = T &optional

(present if policy/protocols/ssl/log-hostcerts-only.bro is loaded)

Attributes:

&redef

A file that Bro is analyzing. This is Bro’s type for describing the basic internal metadata collected about a “file”, which is essentially just a byte stream that is e.g. pulled from a network connection or possibly some other input source.

ftp_port
Type:

record

h: addr

The host’s address.

p: port

The host’s port.

valid: bool

True if format was right. Only then are h and p valid.

A parsed host/port combination describing server endpoint for an upcoming data transfer.

See also: fmt_ftp_port, parse_eftp_port, parse_ftp_epsv, parse_ftp_pasv, parse_ftp_port

gap_info
Type:

record

ack_events: count

How many ack events could have had gaps.

ack_bytes: count

How many bytes those covered.

gap_events: count

How many did have gaps.

gap_bytes: count

How many bytes were missing in the gaps.

Statistics about number of gaps in TCP connections.

See also: gap_report, get_gap_summary

geo_location
Type:

record

country_code: string &optional &log

The country code.

region: string &optional &log

The region.

city: string &optional &log

The city.

latitude: double &optional &log

Latitude.

longitude: double &optional &log

Longitude.

Attributes:

&log

GeoIP location information.

See also: lookup_location

gtp_access_point_name
Type:string
gtp_cause
Type:count
gtp_charging_characteristics
Type:count
gtp_charging_gateway_addr
Type:addr
gtp_charging_id
Type:count
gtp_create_pdp_ctx_request_elements
Type:

record

imsi: gtp_imsi &optional

rai: gtp_rai &optional

recovery: gtp_recovery &optional

select_mode: gtp_selection_mode &optional

data1: gtp_teid1

cp: gtp_teid_control_plane &optional

nsapi: gtp_nsapi

linked_nsapi: gtp_nsapi &optional

charge_character: gtp_charging_characteristics &optional

trace_ref: gtp_trace_reference &optional

trace_type: gtp_trace_type &optional

end_user_addr: gtp_end_user_addr &optional

ap_name: gtp_access_point_name &optional

opts: gtp_proto_config_options &optional

signal_addr: gtp_gsn_addr

user_addr: gtp_gsn_addr

msisdn: gtp_msisdn &optional

qos_prof: gtp_qos_profile

tft: gtp_tft &optional

trigger_id: gtp_trigger_id &optional

omc_id: gtp_omc_id &optional

ext: gtp_private_extension &optional

gtp_create_pdp_ctx_response_elements
Type:

record

cause: gtp_cause

reorder_req: gtp_reordering_required &optional

recovery: gtp_recovery &optional

data1: gtp_teid1 &optional

cp: gtp_teid_control_plane &optional

charging_id: gtp_charging_id &optional

end_user_addr: gtp_end_user_addr &optional

opts: gtp_proto_config_options &optional

cp_addr: gtp_gsn_addr &optional

user_addr: gtp_gsn_addr &optional

qos_prof: gtp_qos_profile &optional

charge_gateway: gtp_charging_gateway_addr &optional

ext: gtp_private_extension &optional

gtp_delete_pdp_ctx_request_elements
Type:

record

teardown_ind: gtp_teardown_ind &optional

nsapi: gtp_nsapi

ext: gtp_private_extension &optional

gtp_delete_pdp_ctx_response_elements
Type:

record

cause: gtp_cause

ext: gtp_private_extension &optional

gtp_end_user_addr
Type:

record

pdp_type_org: count

pdp_type_num: count

pdp_ip: addr &optional

Set if the End User Address information element is IPv4/IPv6.

pdp_other_addr: string &optional

Set if the End User Address information element isn’t IPv4/IPv6.

gtp_gsn_addr
Type:

record

ip: addr &optional

If the GSN Address information element has length 4 or 16, then this field is set to be the informational element’s value interpreted as an IPv4 or IPv6 address, respectively.

other: string &optional

This field is set if it’s not an IPv4 or IPv6 address.

gtp_imsi
Type:count
gtp_msisdn
Type:string
gtp_nsapi
Type:count
gtp_omc_id
Type:string
gtp_private_extension
Type:

record

id: count

value: string

gtp_proto_config_options
Type:string
gtp_qos_profile
Type:

record

priority: count

data: string

gtp_rai
Type:

record

mcc: count

mnc: count

lac: count

rac: count

gtp_recovery
Type:count
gtp_reordering_required
Type:bool
gtp_selection_mode
Type:count
gtp_teardown_ind
Type:bool
gtp_teid1
Type:count
gtp_teid_control_plane
Type:count
gtp_tft
Type:string
gtp_trace_reference
Type:count
gtp_trace_type
Type:count
gtp_trigger_id
Type:string
gtp_update_pdp_ctx_request_elements
Type:

record

imsi: gtp_imsi &optional

rai: gtp_rai &optional

recovery: gtp_recovery &optional

data1: gtp_teid1

cp: gtp_teid_control_plane &optional

nsapi: gtp_nsapi

trace_ref: gtp_trace_reference &optional

trace_type: gtp_trace_type &optional

cp_addr: gtp_gsn_addr

user_addr: gtp_gsn_addr

qos_prof: gtp_qos_profile

tft: gtp_tft &optional

trigger_id: gtp_trigger_id &optional

omc_id: gtp_omc_id &optional

ext: gtp_private_extension &optional

end_user_addr: gtp_end_user_addr &optional

gtp_update_pdp_ctx_response_elements
Type:

record

cause: gtp_cause

recovery: gtp_recovery &optional

data1: gtp_teid1 &optional

cp: gtp_teid_control_plane &optional

charging_id: gtp_charging_id &optional

cp_addr: gtp_gsn_addr &optional

user_addr: gtp_gsn_addr &optional

qos_prof: gtp_qos_profile &optional

charge_gateway: gtp_charging_gateway_addr &optional

ext: gtp_private_extension &optional

gtpv1_hdr
Type:

record

version: count

The 3-bit version field, which for GTPv1 should be 1.

pt_flag: bool

Protocol Type value differentiates GTP (value 1) from GTP’ (value 0).

rsv: bool

Reserved field, should be 0.

e_flag: bool

Extension Header flag. When 0, the next_type field may or may not be present, but shouldn’t be meaningful. When 1, next_type is present and meaningful.

s_flag: bool

Sequence Number flag. When 0, the seq field may or may not be present, but shouldn’t be meaningful. When 1, seq is present and meaningful.

pn_flag: bool

N-PDU flag. When 0, the n_pdu field may or may not be present, but shouldn’t be meaningful. When 1, n_pdu is present and meaningful.

msg_type: count

Message Type. A value of 255 indicates user-plane data is encapsulated.

length: count

Length of the GTP packet payload (the rest of the packet following the mandatory 8-byte GTP header).

teid: count

Tunnel Endpoint Identifier. Unambiguously identifies a tunnel endpoint in receiving GTP-U or GTP-C protocol entity.

seq: count &optional

Sequence Number. Set if any e_flag, s_flag, or pn_flag field is set.

n_pdu: count &optional

N-PDU Number. Set if any e_flag, s_flag, or pn_flag field is set.

next_type: count &optional

Next Extension Header Type. Set if any e_flag, s_flag, or pn_flag field is set.

A GTPv1 (GPRS Tunneling Protocol) header.

http_message_stat
Type:

record

start: time

When the request/reply line was complete.

interrupted: bool

Whether the message was interrupted.

finish_msg: string

Reason phrase if interrupted.

body_length: count

Length of body processed (before finished/interrupted).

content_gap_length: count

Total length of gaps within body_length.

header_length: count

Length of headers (including the req/reply line, but not CR/LF’s).

HTTP message statistics.

See also: http_message_done

http_stats_rec
Type:

record

num_requests: count

Number of requests.

num_replies: count

Number of replies.

request_version: double

HTTP version of the requests.

reply_version: double

HTTP Version of the replies.

HTTP session statistics.

See also: http_stats

icmp6_nd_option
Type:

record

otype: count

8-bit identifier of the type of option.

len: count

8-bit integer representing the length of the option (including the type and length fields) in units of 8 octets.

link_address: string &optional

Source Link-Layer Address (Type 1) or Target Link-Layer Address (Type 2). Byte ordering of this is dependent on the actual link-layer.

prefix: icmp6_nd_prefix_info &optional

Prefix Information (Type 3).

redirect: icmp_context &optional

Redirected header (Type 4). This field contains the context of the original, redirected packet.

mtu: count &optional

Recommended MTU for the link (Type 5).

payload: string &optional

The raw data of the option (everything after type & length fields), useful for unknown option types or when the full option payload is truncated in the captured packet. In those cases, option fields won’t be pre-extracted into the fields above.

Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.

See also: icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_redirect, icmp6_nd_options

icmp6_nd_options
Type:vector

A type alias for a vector of ICMPv6 neighbor discovery message options.

icmp6_nd_prefix_info
Type:

record

prefix_len: count

Number of leading bits of the prefix that are valid.

L_flag: bool

Flag indicating the prefix can be used for on-link determination.

A_flag: bool

Autonomous address-configuration flag.

valid_lifetime: interval

Length of time in seconds that the prefix is valid for purpose of on-link determination (0xffffffff represents infinity).

preferred_lifetime: interval

Length of time in seconds that the addresses generated from the prefix via stateless address autoconfiguration remain preferred (0xffffffff represents infinity).

prefix: addr

An IP address or prefix of an IP address. Use the prefix_len field to convert this into a subnet.

Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.

See also: icmp6_nd_option

icmp_conn
Type:

record

orig_h: addr

The originator’s IP address.

resp_h: addr

The responder’s IP address.

itype: count

The ICMP type of the packet that triggered the instantiation of the record.

icode: count

The ICMP code of the packet that triggered the instantiation of the record.

len: count

The length of the ICMP payload of the packet that triggered the instantiation of the record.

hlim: count

The encapsulating IP header’s Hop Limit value.

v6: bool

True if it’s an ICMPv6 packet.

Specifics about an ICMP conversation. ICMP events typically pass this in addition to conn_id.

See also: icmp_echo_reply, icmp_echo_request, icmp_redirect, icmp_sent, icmp_time_exceeded, icmp_unreachable

icmp_context
Type:

record

id: conn_id

The packet’s 4-tuple.

len: count

The length of the IP packet (headers + payload).

proto: count

The packet’s transport-layer protocol.

frag_offset: count

The packet’s fragmentation offset.

bad_hdr_len: bool

True if the packet’s IP header is not fully included in the context or if there is not enough of the transport header to determine source and destination ports. If that is the case, the appropriate fields of this record will be set to null values.

bad_checksum: bool

True if the packet’s IP checksum is not correct.

MF: bool

True if the packet’s more fragments flag is set.

DF: bool

True if the packet’s don’t fragment flag is set.

Packet context part of an ICMP message. The fields of this record reflect the packet that is described by the context.

See also: icmp_time_exceeded, icmp_unreachable

icmp_hdr
Type:

record

icmp_type: count

type of message

Values extracted from an ICMP header.

See also: pkt_hdr, discarder_check_icmp

id_table
Type:table [string] of script_id

Table type used to map script-level identifiers to meta-information describing them.

See also: global_ids, script_id

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

index_vec
Type:vector

A vector of counts, used by some builtin functions to store a list of indices.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

interconn_endp_stats
Type:

record

num_pkts: count

num_keystrokes_two_in_row: count

num_normal_interarrivals: count

num_8k0_pkts: count

num_8k4_pkts: count

is_partial: bool

num_bytes: count

num_7bit_ascii: count

num_lines: count

num_normal_lines: count

Deprecated.

ip4_hdr
Type:

record

hl: count

Header length in bytes.

tos: count

Type of service.

len: count

Total length.

id: count

Identification.

ttl: count

Time to live.

p: count

Protocol.

src: addr

Source address.

dst: addr

Destination address.

Values extracted from an IPv4 header.

See also: pkt_hdr, ip6_hdr, discarder_check_ip

ip6_ah
Type:

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 4-octet units, excluding first two units.

rsv: count

Reserved field.

spi: count

Security Parameter Index.

seq: count &optional

Sequence number, unset in the case that len field is zero.

data: string &optional

Authentication data, unset in the case that len field is zero.

Values extracted from an IPv6 Authentication extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr

ip6_dstopts
Type:

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

options: ip6_options

The TLV encoded options;

Values extracted from an IPv6 Destination options extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr, ip6_option

ip6_esp
Type:

record

spi: count

Security Parameters Index.

seq: count

Sequence number.

Values extracted from an IPv6 ESP extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr

ip6_ext_hdr
Type:

record

id: count

The RFC 1700 et seq. IANA assigned number identifying the type of the extension header.

hopopts: ip6_hopopts &optional

Hop-by-hop option extension header.

dstopts: ip6_dstopts &optional

Destination option extension header.

routing: ip6_routing &optional

Routing extension header.

fragment: ip6_fragment &optional

Fragment header.

ah: ip6_ah &optional

Authentication extension header.

esp: ip6_esp &optional

Encapsulating security payload header.

mobility: ip6_mobility_hdr &optional

Mobility header.

A general container for a more specific IPv6 extension header.

See also: pkt_hdr, ip4_hdr, ip6_hopopts, ip6_dstopts, ip6_routing, ip6_fragment, ip6_ah, ip6_esp

ip6_ext_hdr_chain
Type:vector

A type alias for a vector of IPv6 extension headers.

ip6_fragment
Type:

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

rsv1: count

8-bit reserved field.

offset: count

Fragmentation offset.

rsv2: count

2-bit reserved field.

more: bool

More fragments.

id: count

Fragment identification.

Values extracted from an IPv6 Fragment extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr

ip6_hdr
Type:

record

class: count

Traffic class.

flow: count

Flow label.

len: count

Payload length.

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number) e.g. IPPROTO_ICMP.

hlim: count

Hop limit.

src: addr

Source address.

dst: addr

Destination address.

exts: ip6_ext_hdr_chain

Extension header chain.

Values extracted from an IPv6 header.

See also: pkt_hdr, ip4_hdr, ip6_ext_hdr, ip6_hopopts, ip6_dstopts, ip6_routing, ip6_fragment, ip6_ah, ip6_esp

ip6_hopopts
Type:

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

options: ip6_options

The TLV encoded options;

Values extracted from an IPv6 Hop-by-Hop options extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr, ip6_option

ip6_mobility_back
Type:

record

status: count

Status.

k: bool

Key Management Mobility Capability.

seq: count

Sequence number.

life: count

Lifetime.

options: vector

Mobility Options.

Values extracted from an IPv6 Mobility Binding Acknowledgement message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_be
Type:

record

status: count

Status.

hoa: addr

Home Address.

options: vector

Mobility Options.

Values extracted from an IPv6 Mobility Binding Error message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_brr
Type:

record

rsv: count

Reserved.

options: vector

Mobility Options.

Values extracted from an IPv6 Mobility Binding Refresh Request message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_bu
Type:

record

seq: count

Sequence number.

a: bool

Acknowledge bit.

h: bool

Home Registration bit.

l: bool

Link-Local Address Compatibility bit.

k: bool

Key Management Mobility Capability bit.

life: count

Lifetime.

options: vector

Mobility Options.

Values extracted from an IPv6 Mobility Binding Update message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_cot
Type:

record

nonce_idx: count

Care-of Nonce Index.

cookie: count

Care-of Init Cookie.

token: count

Care-of Keygen Token.

options: vector

Mobility Options.

Values extracted from an IPv6 Mobility Care-of Test message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_coti
Type:

record

rsv: count

Reserved.

cookie: count

Care-of Init Cookie.

options: vector

Mobility Options.

Values extracted from an IPv6 Mobility Care-of Test Init message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_hdr
Type:

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

mh_type: count

Mobility header type used to identify header’s the message.

rsv: count

Reserved field.

chksum: count

Mobility header checksum.

msg: ip6_mobility_msg

Mobility header message

Values extracted from an IPv6 Mobility header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr

ip6_mobility_hot
Type:

record

nonce_idx: count

Home Nonce Index.

cookie: count

Home Init Cookie.

token: count

Home Keygen Token.

options: vector

Mobility Options.

Values extracted from an IPv6 Mobility Home Test message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_hoti
Type:

record

rsv: count

Reserved.

cookie: count

Home Init Cookie.

options: vector

Mobility Options.

Values extracted from an IPv6 Mobility Home Test Init message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_msg
Type:

record

id: count

The type of message from the header’s MH Type field.

brr: ip6_mobility_brr &optional

Binding Refresh Request.

hoti: ip6_mobility_hoti &optional

Home Test Init.

coti: ip6_mobility_coti &optional

Care-of Test Init.

hot: ip6_mobility_hot &optional

Home Test.

cot: ip6_mobility_cot &optional

Care-of Test.

bu: ip6_mobility_bu &optional

Binding Update.

back: ip6_mobility_back &optional

Binding Acknowledgement.

be: ip6_mobility_be &optional

Binding Error.

Values extracted from an IPv6 Mobility header’s message data.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr

ip6_option
Type:

record

otype: count

Option type.

len: count

Option data length.

data: string

Option data.

Values extracted from an IPv6 extension header’s (e.g. hop-by-hop or destination option headers) option field.

See also: ip6_hdr, ip6_ext_hdr, ip6_hopopts, ip6_dstopts

ip6_options
Type:vector

A type alias for a vector of IPv6 options.

ip6_routing
Type:

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

rtype: count

Routing type.

segleft: count

Segments left.

data: string

Type-specific data.

Values extracted from an IPv6 Routing extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr

irc_join_info
Type:

record

nick: string

channel: string

password: string

usermode: string

IRC join information.

See also: irc_join_list

irc_join_list
Type:set [irc_join_info]

Set of IRC join information.

See also: irc_join_message

load_sample_info
Type:set [string]
matcher_stats
Type:

record

matchers: count

Number of distinct RE matchers.

dfa_states: count

Number of DFA states across all matchers.

computed: count

Number of computed DFA state transitions.

mem: count

Number of bytes used by DFA states.

hits: count

Number of cache hits.

misses: count

Number of cache misses.

avg_nfa_states: count

Average number of NFA states across all matchers.

Summary statistics of all regular expression matchers.

See also: get_matcher_stats

mime_header_list
Type:table [count] of mime_header_rec

A list of MIME headers.

See also: mime_header_rec, http_all_headers, mime_all_headers

mime_header_rec
Type:

record

name: string

The header name.

value: string

The header value.

A MIME header key/value pair.

See also: mime_header_list, http_all_headers, mime_all_headers, mime_one_header

mime_match
Type:

record

strength: int

How strongly the signature matched. Used for prioritization when multiple file magic signatures match.

mime: string

The MIME type of the file magic signature match.

A structure indicating a MIME type and strength of a match against file magic signatures.

file_magic

mime_matches
Type:vector

A vector of file magic signature matches, ordered by strength of the signature, strongest first.

file_magic

nf_v5_header
Type:

record

h_id: nfheader_id

ID for sorting.

cnt: count

TODO.

sysuptime: interval

Router’s uptime.

exporttime: time

When the data was exported.

flow_seq: count

Sequence number.

eng_type: count

Engine type.

eng_id: count

Engine ID.

sample_int: count

Sampling interval.

exporter: addr

Exporter address.

A NetFlow v5 header.

See also: netflow_v5_header

nf_v5_record
Type:

record

h_id: nfheader_id

ID for sorting.

id: conn_id

Connection ID.

nexthop: addr

Address of next hop.

input: count

Input interface.

output: count

Output interface.

pkts: count

Number of packets.

octets: count

Number of bytes.

first: time

Timestamp of first packet.

last: time

Timestamp of last packet.

tcpflag_fin: bool

FIN flag for TCP flows.

tcpflag_syn: bool

SYN flag for TCP flows.

tcpflag_rst: bool

RST flag for TCP flows.

tcpflag_psh: bool

PSH flag for TCP flows.

tcpflag_ack: bool

ACK flag for TCP flows.

tcpflag_urg: bool

URG flag for TCP flows.

proto: count

IP protocol.

tos: count

Type of service.

src_as: count

Source AS.

dst_as: count

Destination AS.

src_mask: count

Source mask.

dst_mask: count

Destination mask.

A NetFlow v5 record.

See also: netflow_v5_record

nfheader_id
Type:

record

rcvr_id: string

Name of the NetFlow file (e.g., netflow.dat) or the receiving socket address (e.g., 127.0.0.1:5555), or an explicit name if specified to -y or -Y.

pdu_id: count

A serial number, ignoring any overflows.

ID for NetFlow header. This is primarily a means to sort together NetFlow headers and flow records at the script level.

ntp_msg
Type:

record

id: count

Message ID.

code: count

Message code.

stratum: count

Stratum.

poll: count

Poll.

precision: int

Precision.

distance: interval

Distance.

dispersion: interval

Dispersion.

ref_t: time

Reference time.

originate_t: time

Originating time.

receive_t: time

Receive time.

xmit_t: time

Send time.

An NTP message.

See also: ntp_message

packet
Type:

record

conn: connection

is_orig: bool

seq: count

seq=k => it is the kth packet of the connection

timestamp: time

Deprecated.

Todo

Remove. It’s still declared internally but doesn’t seem used anywhere else.

pcap_packet
Type:

record

ts_sec: count

The non-fractional part of the packet’s timestamp (i.e., full seconds since the epoch).

ts_usec: count

The fractional part of the packet’s timestamp.

caplen: count

The number of bytes captured (<= len).

len: count

The length of the packet in bytes, including link-level header.

data: string

The payload of the packet, including link-level header.

Policy-level representation of a packet passed on by libpcap. The data includes the complete packet as returned by libpcap, including the link-layer header.

See also: dump_packet, get_current_packet

peer_id
Type:count

A locally unique ID identifying a communication peer. The ID is returned by connect.

See also: connect, Communication

pkt_hdr
Type:

record

ip: ip4_hdr &optional

The IPv4 header if an IPv4 packet.

ip6: ip6_hdr &optional

The IPv6 header if an IPv6 packet.

tcp: tcp_hdr &optional

The TCP header if a TCP packet.

udp: udp_hdr &optional

The UDP header if a UDP packet.

icmp: icmp_hdr &optional

The ICMP header if an ICMP packet.

A packet header, consisting of an IP header and transport-layer header.

See also: new_packet

pkt_profile_modes
Type:

enum

PKT_PROFILE_MODE_NONE

No output.

PKT_PROFILE_MODE_SECS

Output every pkt_profile_freq seconds.

PKT_PROFILE_MODE_PKTS

Output every pkt_profile_freq packets.

PKT_PROFILE_MODE_BYTES

Output every pkt_profile_freq bytes.

Output modes for packet profiling information.

See also: pkt_profile_mode, pkt_profile_freq, pkt_profile_file

pm_callit_request
Type:

record

program: count

The RPC program.

version: count

The program version.

proc: count

The procedure being called.

arg_size: count

The size of the argument.

An RPC portmapper callit request.

See also: pm_attempt_callit, pm_request_callit

pm_mapping
Type:

record

program: count

The RPC program.

version: count

The program version.

p: port

The port.

An RPC portmapper mapping.

See also: pm_mappings

pm_mappings
Type:table [count] of pm_mapping

Table of RPC portmapper mappings.

See also: pm_request_dump

pm_port_request
Type:

record

program: count

The RPC program.

version: count

The program version.

is_tcp: bool

True if using TCP.

An RPC portmapper request.

See also: pm_attempt_getport, pm_request_getport

record_field
Type:

record

type_name: string

The name of the field’s type.

log: bool

True if the field is declared with &log attribute.

value: any &optional

The current value of the field in the record instance passed into record_fields (if it has one).

default_val: any &optional

The value of the &default attribute if defined.

Meta-information about a record field.

See also: record_fields, record_field_table

record_field_table
Type:table [string] of record_field

Table type used to map record field declarations to meta-information describing them.

See also: record_fields, record_field

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

rotate_info
Type:

record

old_name: string

Original filename.

new_name: string

File name after rotation.

open: time

Time when opened.

close: time

Time when closed.

Deprecated.

See also: rotate_file, rotate_file_by_name, rotate_interval

script_id
Type:

record

type_name: string

The name of the identifier’s type.

exported: bool

True if the identifier is exported.

constant: bool

True if the identifier is a constant.

enum_constant: bool

True if the identifier is an enum value.

redefinable: bool

True if the identifier is declared with the &redef attribute.

value: any &optional

The current value of the identifier.

Meta-information about a script-level identifier.

See also: global_ids, id_table

signature_state
Type:

record

sig_id: string

ID of the matching signature.

conn: connection

Matching connection.

is_orig: bool

True if matching endpoint is originator.

payload_size: count

Payload size of the first matching packet of current endpoint.

Description of a signature match.

See also: signature_match

smb_hdr
Type:

record

command: count

The command number (see samba_cmds).

status: count

The status code.

flags: count

Flag set 1.

flags2: count

Flag set 2.

tid: count

TODO.

pid: count

Process ID.

uid: count

User ID.

mid: count

TODO.

An SMB command header.

See also: smb_com_close, smb_com_generic_andx, smb_com_logoff_andx, smb_com_negotiate, smb_com_negotiate_response, smb_com_nt_create_andx, smb_com_read_andx, smb_com_setup_andx, smb_com_trans_mailslot, smb_com_trans_pipe, smb_com_trans_rap, smb_com_transaction, smb_com_transaction2, smb_com_tree_connect_andx, smb_com_tree_disconnect, smb_com_write_andx, smb_error, smb_get_dfs_referral, smb_message

smb_negotiate
Type:table [count] of string

Deprecated.

Todo

Remove. It’s still declared internally but doesn’t seem used anywhere else.

smb_trans
Type:

record

word_count: count

TODO.

total_param_count: count

TODO.

total_data_count: count

TODO.

max_param_count: count

TODO.

max_data_count: count

TODO.

max_setup_count: count

TODO.

param_count: count

TODO.

param_offset: count

TODO.

data_count: count

TODO.

data_offset: count

TODO.

setup_count: count

TODO.

setup0: count

TODO.

setup1: count

TODO.

setup2: count

TODO.

setup3: count

TODO.

byte_count: count

TODO.

parameters: string

TODO.

An SMB transaction.

See also: smb_com_trans_mailslot, smb_com_trans_pipe, smb_com_trans_rap, smb_com_transaction, smb_com_transaction2

smb_trans_data
Type:

record

data: string

The transaction’s data.

SMB transaction data.

See also: smb_com_trans_mailslot, smb_com_trans_pipe, smb_com_trans_rap, smb_com_transaction, smb_com_transaction2

Todo

Should this really be a record type?

smb_tree_connect
Type:

record

flags: count

password: string

path: string

service: string

Deprecated.

Todo

Remove. It’s still declared internally but doesn’t seem used anywhere else.

software
Type:

record

name: string

version: software_version

software_version
Type:

record

major: int

minor: int

minor2: int

addl: string

string_array
Type:table [count] of string

An ordered array of strings. The entries are indexed by successive numbers. Note that it depends on the usage whether the first index is zero or one.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

string_set
Type:set [string]

A set of strings.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

string_vec
Type:vector

A vector of strings.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

sw_align
Type:

record

str: string

String a substring is part of.

index: count

Offset substring is located.

Helper type for return value of Smith-Waterman algorithm.

See also: str_smith_waterman, sw_substring_vec, sw_substring, sw_align_vec, sw_params

sw_align_vec
Type:vector

Helper type for return value of Smith-Waterman algorithm.

See also: str_smith_waterman, sw_substring_vec, sw_substring, sw_align, sw_params

sw_params
Type:

record

min_strlen: count &default = 3 &optional

Minimum size of a substring, minimum “granularity”.

sw_variant: count &default = 0 &optional

Smith-Waterman flavor to use.

Parameters for the Smith-Waterman algorithm.

See also: str_smith_waterman

sw_substring
Type:

record

str: string

A substring.

aligns: sw_align_vec

All strings of which it’s a substring.

new: bool

True if start of new alignment.

Helper type for return value of Smith-Waterman algorithm.

See also: str_smith_waterman, sw_substring_vec, sw_align_vec, sw_align, sw_params

sw_substring_vec
Type:vector

Return type for Smith-Waterman algorithm.

See also: str_smith_waterman, sw_substring, sw_align_vec, sw_align, sw_params

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

table_string_of_string
Type:table [string] of string

A table of strings indexed by strings.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

tcp_hdr
Type:

record

sport: port

source port.

dport: port

destination port

seq: count

sequence number

ack: count

acknowledgement number

hl: count

header length (in bytes)

dl: count

data length (xxx: not in original tcphdr!)

flags: count

flags

win: count

window

Values extracted from a TCP header.

See also: pkt_hdr, discarder_check_tcp

teredo_auth
Type:

record

id: string

Teredo client identifier.

value: string

HMAC-SHA1 over shared secret key between client and server, nonce, confirmation byte, origin indication (if present), and the IPv6 packet.

nonce: count

Nonce chosen by Teredo client to be repeated by Teredo server.

confirm: count

Confirmation byte to be set to 0 by Teredo client and non-zero by server if client needs new key.

A Teredo origin indication header. See RFC 4380 for more information about the Teredo protocol.

See also: teredo_bubble, teredo_origin_indication, teredo_authentication, teredo_hdr

teredo_hdr
Type:

record

auth: teredo_auth &optional

Teredo authentication header.

origin: teredo_origin &optional

Teredo origin indication header.

hdr: pkt_hdr

IPv6 and transport protocol headers.

A Teredo packet header. See RFC 4380 for more information about the Teredo protocol.

See also: teredo_bubble, teredo_origin_indication, teredo_authentication

teredo_origin
Type:

record

p: port

Unobfuscated UDP port of Teredo client.

a: addr

Unobfuscated IPv4 address of Teredo client.

A Teredo authentication header. See RFC 4380 for more information about the Teredo protocol.

See also: teredo_bubble, teredo_origin_indication, teredo_authentication, teredo_hdr

transport_proto
Type:

enum

unknown_transport

An unknown transport-layer protocol.

tcp

TCP.

udp

UDP.

icmp

ICMP.

A connection’s transport-layer protocol. Note that Bro uses the term “connection” broadly, using flow semantics for ICMP and UDP.

udp_hdr
Type:

record

sport: port

source port

dport: port

destination port

ulen: count

udp length

Values extracted from a UDP header.

See also: pkt_hdr, discarder_check_udp

var_sizes
Type:table [string] of count

Table type used to map variable names to their memory allocation.

See also: global_sizes

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

x509_opaque_vector
Type:vector

A vector of x509 opaques.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

Functions

add_interface
Type:function (iold: string, inew: string) : string

Internal function.

add_signature_file
Type:function (sold: string, snew: string) : string

Internal function.

append_addl
Type:function (c: connection, addl: string) : void

Deprecated.

append_addl_marker
Type:function (c: connection, addl: string, marker: string) : void

Deprecated.

discarder_check_icmp
Type:function (p: pkt_hdr) : bool

Function for skipping packets based on their ICMP header. If defined, this function will be called for all ICMP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P:The IP and ICMP headers of the considered packet.
Returns:True if the packet should not be analyzed any further.

See also: discarder_check_ip, discarder_check_tcp, discarder_check_udp, discarder_maxlen

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_ip
Type:function (p: pkt_hdr) : bool

Function for skipping packets based on their IP header. If defined, this function will be called for all IP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P:The IP header of the considered packet.
Returns:True if the packet should not be analyzed any further.

See also: discarder_check_tcp, discarder_check_udp, discarder_check_icmp, discarder_maxlen

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_tcp
Type:function (p: pkt_hdr, d: string) : bool

Function for skipping packets based on their TCP header. If defined, this function will be called for all TCP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P:The IP and TCP headers of the considered packet.
D:Up to discarder_maxlen bytes of the TCP payload.
Returns:True if the packet should not be analyzed any further.

See also: discarder_check_ip, discarder_check_udp, discarder_check_icmp, discarder_maxlen

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_udp
Type:function (p: pkt_hdr, d: string) : bool

Function for skipping packets based on their UDP header. If defined, this function will be called for all UDP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P:The IP and UDP headers of the considered packet.
D:Up to discarder_maxlen bytes of the UDP payload.
Returns:True if the packet should not be analyzed any further.

See also: discarder_check_ip, discarder_check_tcp, discarder_check_icmp, discarder_maxlen

Note

This is very low-level functionality and potentially expensive. Avoid using it.

log_file_name
Type:function (tag: string) : string
Attributes:&redef

Deprecated. This is superseded by the new logging framework.

max_count
Type:function (a: count, b: count) : count

Returns maximum of two count values.

A:First value.
B:Second value.
Returns:The maximum of a and b.
max_double
Type:function (a: double, b: double) : double

Returns maximum of two double values.

A:First value.
B:Second value.
Returns:The maximum of a and b.
max_interval
Type:function (a: interval, b: interval) : interval

Returns maximum of two interval values.

A:First value.
B:Second value.
Returns:The maximum of a and b.
min_count
Type:function (a: count, b: count) : count

Returns minimum of two count values.

A:First value.
B:Second value.
Returns:The minimum of a and b.
min_double
Type:function (a: double, b: double) : double

Returns minimum of two double values.

A:First value.
B:Second value.
Returns:The minimum of a and b.
min_interval
Type:function (a: interval, b: interval) : interval

Returns minimum of two interval values.

A:First value.
B:Second value.
Returns:The minimum of a and b.
open_log_file
Type:function (tag: string) : file
Attributes:&redef

Deprecated. This is superseded by the new logging framework.

Copyright 2013, The Bro Project. Last updated on June 15, 2015. Created using Sphinx 1.2.2.