- ts: time &log &optional
An absolute time indicating when the notice occurred,
defaults to the current network time.
- uid: string &log &optional
A connection UID which uniquely identifies the endpoints
concerned with the notice.
- id: conn_id &log &optional
A connection 4-tuple identifying the endpoints concerned
with the notice.
- conn: connection &optional
A shorthand way of giving the uid and id to a notice. The
reference to the actual connection will be deleted after
applying the notice policy.
- iconn: icmp_conn &optional
A shorthand way of giving the uid and id to a notice. The
reference to the actual connection will be deleted after
applying the notice policy.
- f: fa_file &optional
A file record if the notice is related to a file. The
reference to the actual fa_file record will be deleted after
applying the notice policy.
- fuid: string &log &optional
A file unique ID if this notice is related to a file. If
the f field is provided, this will be automatically filled
out.
- file_mime_type: string &log &optional
A mime type if the notice is related to a file. If the f
field is provided, this will be automatically filled out.
- file_desc: string &log &optional
Frequently files can be “described” to give a bit more
context. This field will typically be automatically filled
out from an fa_file record. For example, if a notice was
related to a file over HTTP, the URL of the request would
be shown.
- proto: transport_proto &log &optional
The transport protocol. Filled automatically when either
conn, iconn or p is specified.
- note: Notice::Type &log
The Notice::Type of the notice.
- msg: string &log &optional
The human readable message for the notice.
- sub: string &log &optional
The human readable sub-message.
- src: addr &log &optional
Source address, if we don’t have a conn_id.
- dst: addr &log &optional
Destination address.
- p: port &log &optional
Associated port, if we don’t have a conn_id.
- n: count &log &optional
Associated count, or perhaps a status code.
- src_peer: event_peer &optional
Peer that raised this notice.
- peer_descr: string &log &optional
Textual description for the peer that raised this notice.
- actions: Notice::ActionSet &log &default = set() &optional
The actions which have been applied to this notice.
- email_body_sections: vector &optional
By adding chunks of text into this element, other scripts
can expand on notices that are being emailed. The normal
way to add text is to extend the vector by handling the
Notice::notice event and modifying the notice in
place.
- email_delay_tokens: set [string] &optional
Adding a string “token” to this set will cause the notice
framework’s built-in emailing functionality to delay sending
the email until either the token has been removed or the
email has been delayed for Notice::max_email_delay.
- identifier: string &optional
This field is to be provided when a notice is generated for
the purpose of deduplicating notices. The identifier string
should be unique for a single instance of the notice. This
field should be filled out in almost all cases when
generating notices to define when a notice is conceptually
a duplicate of a previous notice.
For example, an SSL certificate that is going to expire soon
should always have the same identifier no matter the client
IP address that connected and resulted in the certificate
being exposed. In this case, the resp_h, resp_p, and hash
of the certificate would be used to create this value. The
hash of the cert is included because servers can return
multiple certificates on the same port.
Another example might be a host downloading a file which
triggered a notice because the MD5 sum of the file it
downloaded was known by some set of intelligence. In that
case, the orig_h (client) and MD5 sum would be used in this
field to dedup because if the same file is downloaded over
and over again you really only want to know about it a
single time. This makes it possible to send those notices
to email without worrying so much about sending thousands
of emails.
- suppress_for: interval &log &default = Notice::default_suppression_interval &optional
This field indicates the length of time that this
unique notice should be suppressed.
- dropped: bool &log &default = F &optional
(present if base/frameworks/notice/actions/drop.bro is loaded)
Indicate if the $src IP address was dropped and denied
network access.
- remote_location: geo_location &log &optional
(present if base/frameworks/notice/actions/add-geodata.bro is loaded)
If libGeoIP support is built in, notices can have geographic
information attached to them.