Source code for zlogging.enum.Notice

# -*- coding: utf-8 -*-
# pylint: disable=line-too-long,import-error
"""Namespace: ``Notice``."""

from zlogging._compat import enum


[docs]@enum.unique class Action(enum.IntFlag): """Enum: ``Notice::Action``. These are values representing actions that can be taken with notices. See Also: `base/frameworks/notice/main.zeek <https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Action>`__ """ _ignore_ = 'Action _' Action = vars() #: Indicates that there is no action to be taken. Action['ACTION_NONE'] = enum.auto() #: Indicates that the notice should be sent to the notice #: logging stream. Action['ACTION_LOG'] = enum.auto() #: Indicates that the notice should be sent to the email #: address(es) configured in the Notice::mail\_dest #: variable. Action['ACTION_EMAIL'] = enum.auto() #: Indicates that the notice should be alarmed. A readable #: ASCII version of the alarm log is emailed in bulk to the #: address(es) configured in Notice::mail\_dest. Action['ACTION_ALARM'] = enum.auto() #: (present if base/frameworks/notice/actions/email\_admin.zeek is loaded) #: Indicate that the generated email should be addressed to the #: appropriate email addresses as found by the #: Site::get\_emails function based on the relevant #: address or addresses indicated in the notice. Action['ACTION_EMAIL_ADMIN'] = enum.auto() #: (present if base/frameworks/notice/actions/page.zeek is loaded) #: Indicates that the notice should be sent to the pager email #: address configured in the Notice::mail\_page\_dest #: variable. Action['ACTION_PAGE'] = enum.auto() #: (present if base/frameworks/notice/actions/add-geodata.zeek is loaded) #: Indicates that the notice should have geodata added for the #: “remote” host. Site::local\_nets must be defined #: in order for this to work. Action['ACTION_ADD_GEODATA'] = enum.auto() #: (present if policy/frameworks/notice/actions/drop.zeek is loaded) #: Drops the address via NetControl::drop\_address\_catch\_release. Action['ACTION_DROP'] = enum.auto()
[docs]@enum.unique class Type(enum.IntFlag): """Enum: ``Notice::Type``. Scripts creating new notices need to redef this enum to add their own specific notice types which would then get used when they call the ``NOTICE`` function. The convention is to give a general category along with the specific notice separating words with underscores and using leading capitals on each word except for abbreviations which are kept in all capitals. For example, SSH::Password_Guessing is for hosts that have crossed a threshold of failed SSH logins. See Also: `base/frameworks/notice/main.zeek <https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Type>`__ """ _ignore_ = 'Type _' Type = vars() #: Notice reporting a count of how often a notice occurred. Type['Tally'] = enum.auto() #: Weird::Activity #: (present if base/frameworks/notice/weird.zeek is loaded) #: Generic unusual but notice-worthy weird activity. Type['Weird__Activity'] = enum.auto() #: Signatures::Sensitive_Signature #: (present if base/frameworks/signatures/main.zeek is loaded) #: Generic notice type for notice-worthy signature matches. Type['Signatures__Sensitive_Signature'] = enum.auto() #: Signatures::Multiple_Signatures #: (present if base/frameworks/signatures/main.zeek is loaded) #: Host has triggered many signatures on the same host. The #: number of signatures is defined by the #: Signatures::vert\_scan\_thresholds variable. Type['Signatures__Multiple_Signatures'] = enum.auto() #: Signatures::Multiple_Sig_Responders #: (present if base/frameworks/signatures/main.zeek is loaded) #: Host has triggered the same signature on multiple hosts as #: defined by the Signatures::horiz\_scan\_thresholds #: variable. Type['Signatures__Multiple_Sig_Responders'] = enum.auto() #: Signatures::Count_Signature #: (present if base/frameworks/signatures/main.zeek is loaded) #: The same signature has triggered multiple times for a host. #: The number of times the signature has been triggered is #: defined by the Signatures::count\_thresholds #: variable. To generate this notice, the #: Signatures::SIG\_COUNT\_PER\_RESP action must be #: set for the signature. Type['Signatures__Count_Signature'] = enum.auto() #: Signatures::Signature_Summary #: (present if base/frameworks/signatures/main.zeek is loaded) #: Summarize the number of times a host triggered a signature. #: The interval between summaries is defined by the #: Signatures::summary\_interval variable. Type['Signatures__Signature_Summary'] = enum.auto() #: PacketFilter::Compile_Failure #: (present if base/frameworks/packet-filter/main.zeek is loaded) #: This notice is generated if a packet filter cannot be compiled. Type['PacketFilter__Compile_Failure'] = enum.auto() #: PacketFilter::Install_Failure #: (present if base/frameworks/packet-filter/main.zeek is loaded) #: Generated if a packet filter fails to install. Type['PacketFilter__Install_Failure'] = enum.auto() #: PacketFilter::Too_Long_To_Compile_Filter #: (present if base/frameworks/packet-filter/main.zeek is loaded) #: Generated when a notice takes too long to compile. Type['PacketFilter__Too_Long_To_Compile_Filter'] = enum.auto() #: PacketFilter::Dropped_Packets #: (present if base/frameworks/packet-filter/netstats.zeek is loaded) #: Indicates packets were dropped by the packet filter. Type['PacketFilter__Dropped_Packets'] = enum.auto() #: ProtocolDetector::Protocol_Found #: (present if policy/frameworks/dpd/detect-protocols.zeek is loaded) Type['ProtocolDetector__Protocol_Found'] = enum.auto() #: ProtocolDetector::Server_Found #: (present if policy/frameworks/dpd/detect-protocols.zeek is loaded) Type['ProtocolDetector__Server_Found'] = enum.auto() #: Intel::Notice #: (present if policy/frameworks/intel/do\_notice.zeek is loaded) #: This notice is generated when an intelligence #: indicator is denoted to be notice-worthy. Type['Intel__Notice'] = enum.auto() #: TeamCymruMalwareHashRegistry::Match #: (present if policy/frameworks/files/detect-MHR.zeek is loaded) #: The hash value of a file transferred over HTTP matched in the #: malware hash registry. Type['TeamCymruMalwareHashRegistry__Match'] = enum.auto() #: PacketFilter::No_More_Conn_Shunts_Available #: (present if policy/frameworks/packet-filter/shunt.zeek is loaded) #: Indicative that PacketFilter::max\_bpf\_shunts #: connections are already being shunted with BPF filters and #: no more are allowed. Type['PacketFilter__No_More_Conn_Shunts_Available'] = enum.auto() #: PacketFilter::Cannot_BPF_Shunt_Conn #: (present if policy/frameworks/packet-filter/shunt.zeek is loaded) #: Limitations in BPF make shunting some connections with BPF #: impossible. This notice encompasses those various cases. Type['PacketFilter__Cannot_BPF_Shunt_Conn'] = enum.auto() #: Software::Software_Version_Change #: (present if policy/frameworks/software/version-changes.zeek is loaded) #: For certain software, a version changing may matter. In that #: case, this notice will be generated. Software that matters #: if the version changes can be configured with the #: Software::interesting\_version\_changes variable. Type['Software__Software_Version_Change'] = enum.auto() #: Software::Vulnerable_Version #: (present if policy/frameworks/software/vulnerable.zeek is loaded) #: Indicates that a vulnerable version of software was detected. Type['Software__Vulnerable_Version'] = enum.auto() #: CaptureLoss::Too_Much_Loss #: (present if policy/misc/capture-loss.zeek is loaded) #: Report if the detected capture loss exceeds the percentage #: threshold. Type['CaptureLoss__Too_Much_Loss'] = enum.auto() #: Traceroute::Detected #: (present if policy/misc/detect-traceroute/main.zeek is loaded) #: Indicates that a host was seen running traceroutes. For more #: detail about specific traceroutes that we run, refer to the #: traceroute.log. Type['Traceroute__Detected'] = enum.auto() #: Scan::Address_Scan #: (present if policy/misc/scan.zeek is loaded) #: Address scans detect that a host appears to be scanning some #: number of destinations on a single port. This notice is #: generated when more than Scan::addr\_scan\_threshold #: unique hosts are seen over the previous #: Scan::addr\_scan\_interval time range. Type['Scan__Address_Scan'] = enum.auto() #: Scan::Port_Scan #: (present if policy/misc/scan.zeek is loaded) #: Port scans detect that an attacking host appears to be #: scanning a single victim host on several ports. This notice #: is generated when an attacking host attempts to connect to #: Scan::port\_scan\_threshold #: unique ports on a single host over the previous #: Scan::port\_scan\_interval time range. Type['Scan__Port_Scan'] = enum.auto() #: Conn::Retransmission_Inconsistency #: (present if policy/protocols/conn/weirds.zeek is loaded) #: Possible evasion; usually just chud. Type['Conn__Retransmission_Inconsistency'] = enum.auto() #: Conn::Content_Gap #: (present if policy/protocols/conn/weirds.zeek is loaded) #: Data has sequence hole; perhaps due to filtering. Type['Conn__Content_Gap'] = enum.auto() #: DNS::External_Name #: (present if policy/protocols/dns/detect-external-names.zeek is loaded) #: Raised when a non-local name is found to be pointing at a #: local host. The Site::local\_zones variable #: must be set appropriately for this detection. Type['DNS__External_Name'] = enum.auto() #: FTP::Bruteforcing #: (present if policy/protocols/ftp/detect-bruteforcing.zeek is loaded) #: Indicates a host bruteforcing FTP logins by watching for too #: many rejected usernames or failed passwords. Type['FTP__Bruteforcing'] = enum.auto() #: FTP::Site_Exec_Success #: (present if policy/protocols/ftp/detect.zeek is loaded) #: Indicates that a successful response to a “SITE EXEC” #: command/arg pair was seen. Type['FTP__Site_Exec_Success'] = enum.auto() #: HTTP::SQL_Injection_Attacker #: (present if policy/protocols/http/detect-sqli.zeek is loaded) #: Indicates that a host performing SQL injection attacks was #: detected. Type['HTTP__SQL_Injection_Attacker'] = enum.auto() #: HTTP::SQL_Injection_Victim #: (present if policy/protocols/http/detect-sqli.zeek is loaded) #: Indicates that a host was seen to have SQL injection attacks #: against it. This is tracked by IP address as opposed to #: hostname. Type['HTTP__SQL_Injection_Victim'] = enum.auto() #: SMTP::Blocklist_Error_Message #: (present if policy/protocols/smtp/blocklists.zeek is loaded) #: An SMTP server sent a reply mentioning an SMTP block list. Type['SMTP__Blocklist_Error_Message'] = enum.auto() #: SMTP::Blocklist_Blocked_Host #: (present if policy/protocols/smtp/blocklists.zeek is loaded) #: The originator’s address is seen in the block list error message. #: This is useful to detect local hosts sending SPAM with a high #: positive rate. Type['SMTP__Blocklist_Blocked_Host'] = enum.auto() #: SMTP::Suspicious_Origination #: (present if policy/protocols/smtp/detect-suspicious-orig.zeek is loaded) Type['SMTP__Suspicious_Origination'] = enum.auto() #: SSH::Password_Guessing #: (present if policy/protocols/ssh/detect-bruteforcing.zeek is loaded) #: Indicates that a host has been identified as crossing the #: SSH::password\_guesses\_limit threshold with #: failed logins. Type['SSH__Password_Guessing'] = enum.auto() #: SSH::Login_By_Password_Guesser #: (present if policy/protocols/ssh/detect-bruteforcing.zeek is loaded) #: Indicates that a host previously identified as a “password #: guesser” has now had a successful login #: attempt. This is not currently implemented. Type['SSH__Login_By_Password_Guesser'] = enum.auto() #: SSH::Watched_Country_Login #: (present if policy/protocols/ssh/geo-data.zeek is loaded) #: If an SSH login is seen to or from a “watched” country based #: on the SSH::watched\_countries variable then this #: notice will be generated. Type['SSH__Watched_Country_Login'] = enum.auto() #: SSH::Interesting_Hostname_Login #: (present if policy/protocols/ssh/interesting-hostnames.zeek is loaded) #: Generated if a login originates or responds with a host where #: the reverse hostname lookup resolves to a name matched by the #: SSH::interesting\_hostnames regular expression. Type['SSH__Interesting_Hostname_Login'] = enum.auto() #: SSL::Certificate_Expired #: (present if policy/protocols/ssl/expiring-certs.zeek is loaded) #: Indicates that a certificate’s NotValidAfter date has lapsed #: and the certificate is now invalid. Type['SSL__Certificate_Expired'] = enum.auto() #: SSL::Certificate_Expires_Soon #: (present if policy/protocols/ssl/expiring-certs.zeek is loaded) #: Indicates that a certificate is going to expire within #: SSL::notify\_when\_cert\_expiring\_in. Type['SSL__Certificate_Expires_Soon'] = enum.auto() #: SSL::Certificate_Not_Valid_Yet #: (present if policy/protocols/ssl/expiring-certs.zeek is loaded) #: Indicates that a certificate’s NotValidBefore date is future #: dated. Type['SSL__Certificate_Not_Valid_Yet'] = enum.auto() #: Heartbleed::SSL_Heartbeat_Attack #: (present if policy/protocols/ssl/heartbleed.zeek is loaded) #: Indicates that a host performed a heartbleed attack or scan. Type['Heartbleed__SSL_Heartbeat_Attack'] = enum.auto() #: Heartbleed::SSL_Heartbeat_Attack_Success #: (present if policy/protocols/ssl/heartbleed.zeek is loaded) #: Indicates that a host performing a heartbleed attack was probably successful. Type['Heartbleed__SSL_Heartbeat_Attack_Success'] = enum.auto() #: Heartbleed::SSL_Heartbeat_Odd_Length #: (present if policy/protocols/ssl/heartbleed.zeek is loaded) #: Indicates we saw heartbeat requests with odd length. Probably an attack or scan. Type['Heartbleed__SSL_Heartbeat_Odd_Length'] = enum.auto() #: Heartbleed::SSL_Heartbeat_Many_Requests #: (present if policy/protocols/ssl/heartbleed.zeek is loaded) #: Indicates we saw many heartbeat requests without a reply. Might be an attack. Type['Heartbleed__SSL_Heartbeat_Many_Requests'] = enum.auto() #: SSL::Invalid_Server_Cert #: (present if policy/protocols/ssl/validate-certs.zeek is loaded) #: This notice indicates that the result of validating the #: certificate along with its full certificate chain was #: invalid. Type['SSL__Invalid_Server_Cert'] = enum.auto() #: SSL::Invalid_Ocsp_Response #: (present if policy/protocols/ssl/validate-ocsp.zeek is loaded) #: This indicates that the OCSP response was not deemed #: to be valid. Type['SSL__Invalid_Ocsp_Response'] = enum.auto() #: SSL::Weak_Key #: (present if policy/protocols/ssl/weak-keys.zeek is loaded) #: Indicates that a server is using a potentially unsafe key. Type['SSL__Weak_Key'] = enum.auto() #: SSL::Old_Version #: (present if policy/protocols/ssl/weak-keys.zeek is loaded) #: Indicates that a server is using a potentially unsafe version Type['SSL__Old_Version'] = enum.auto() #: SSL::Weak_Cipher #: (present if policy/protocols/ssl/weak-keys.zeek is loaded) #: Indicates that a server is using a potentially unsafe cipher Type['SSL__Weak_Cipher'] = enum.auto() #: ZeekygenExample::Zeekygen_One #: (present if zeekygen/example.zeek is loaded) #: Any number of this type of comment #: will document “Zeekygen\_One”. Type['ZeekygenExample__Zeekygen_One'] = enum.auto() #: ZeekygenExample::Zeekygen_Two #: (present if zeekygen/example.zeek is loaded) #: Any number of this type of comment #: will document “ZEEKYGEN\_TWO”. Type['ZeekygenExample__Zeekygen_Two'] = enum.auto() #: ZeekygenExample::Zeekygen_Three #: (present if zeekygen/example.zeek is loaded) Type['ZeekygenExample__Zeekygen_Three'] = enum.auto() #: ZeekygenExample::Zeekygen_Four #: (present if zeekygen/example.zeek is loaded) #: Omitting comments is fine, and so is mixing ## and ##<, but #: it’s probably best to use only one style consistently. Type['ZeekygenExample__Zeekygen_Four'] = enum.auto()