Enum Namespace

Module Contents

Bro/Zeek enum namespace.

zlogging.enum.globals(*namespaces, bare=False)[source]

Generate Bro/Zeek enum namespace.

Parameters
  • *namespaces – Namespaces to be loaded.

  • bare (bool) – If True, do not load zeek namespace by default.

Keyword Arguments

bare – If True, do not load zeek namespace by default.

Returns

Global enum namespace.

Return type

dict mapping of str and Enum

Warns

BroDeprecationWarning – If bro namespace used.

Raises

ValueError – If namespace is not defined.

Note

For back-port compatibility, the bro namespace is an alias of the zeek namespace.

Namespaces

Broker Namespace

Namespace: Broker.

class zlogging.enum.Broker.DataType(value)[source]

Bases: enum.IntFlag

Enum: Broker::DataType.

Enumerates the possible types that Broker::Data may be in terms of Zeek data types.

NONE = 1
BOOL = 2
INT = 4
COUNT = 8
DOUBLE = 16
STRING = 32
ADDR = 64
SUBNET = 128
PORT = 256
TIME = 512
INTERVAL = 1024
ENUM = 2048
SET = 4096
TABLE = 8192
VECTOR = 16384
class zlogging.enum.Broker.Type(value)[source]

Bases: enum.IntFlag

Enum: Broker::Type.

The type of a Broker activity being logged.

STATUS = 1
ERROR = 2
class zlogging.enum.Broker.ErrorCode(value)[source]

Bases: enum.IntFlag

Enum: Broker::ErrorCode.

Enumerates the possible error types.

NO_ERROR = 1
UNSPECIFIED = 2
PEER_INCOMPATIBLE = 4
PEER_INVALID = 8
PEER_UNAVAILABLE = 16
PEER_DISCONNECT_DURING_HANDSHAKE = 32
PEER_TIMEOUT = 64
MASTER_EXISTS = 128
NO_SUCH_MASTER = 256
NO_SUCH_KEY = 512
REQUEST_TIMEOUT = 1024
TYPE_CLASH = 2048
INVALID_DATA = 4096
BACKEND_FAILURE = 8192
STALE_DATA = 16384
CANNOT_OPEN_FILE = 32768
CANNOT_WRITE_FILE = 65536
INVALID_TOPIC_KEY = 131072
END_OF_FILE = 262144
INVALID_TAG = 524288
INVALID_STATUS = 1048576
CAF_ERROR = 2097152
class zlogging.enum.Broker.PeerStatus(value)[source]

Bases: enum.IntFlag

Enum: Broker::PeerStatus.

The possible states of a peer endpoint.

INITIALIZING = 1
CONNECTING = 2
CONNECTED = 4
PEERED = 8
DISCONNECTED = 16
RECONNECTING = 32
class zlogging.enum.Broker.BackendType(value)[source]

Bases: enum.IntFlag

Enum: Broker::BackendType.

Enumerates the possible storage backends.

MEMORY = 1
SQLITE = 2
ROCKSDB = 4
class zlogging.enum.Broker.QueryStatus(value)[source]

Bases: enum.IntFlag

Enum: Broker::QueryStatus.

Whether a data store query could be completed or not.

SUCCESS = 1
FAILURE = 2

Cluster Namespace

Namespace: Cluster.

class zlogging.enum.Cluster.NodeType(value)[source]

Bases: enum.IntFlag

Enum: Cluster::NodeType.

Types of nodes that are allowed to participate in the cluster configuration.

NONE = 1
CONTROL = 2
LOGGER = 4
MANAGER = 8
PROXY = 16
WORKER = 32
TIME_MACHINE = 64

DCE_RPC Namespace

Namespace: DCE_RPC.

class zlogging.enum.DCE_RPC.IfID(value)[source]

Bases: enum.IntFlag

Enum: DCE_RPC::IfID.

unknown_if = 1
epmapper = 2
lsarpc = 4
lsa_ds = 8
mgmt = 16
netlogon = 32
samr = 64
srvsvc = 128
spoolss = 256
drs = 512
winspipe = 1024
wkssvc = 2048
oxid = 4096
ISCMActivator = 8192
class zlogging.enum.DCE_RPC.PType(value)[source]

Bases: enum.IntFlag

Enum: DCE_RPC::PType.

REQUEST = 1
PING = 2
RESPONSE = 4
FAULT = 8
WORKING = 16
NOCALL = 32
REJECT = 64
ACK = 128
CL_CANCEL = 256
FACK = 512
CANCEL_ACK = 1024
BIND = 2048
BIND_ACK = 4096
BIND_NAK = 8192
ALTER_CONTEXT = 16384
ALTER_CONTEXT_RESP = 32768
AUTH3 = 65536
SHUTDOWN = 131072
CO_CANCEL = 262144
ORPHANED = 524288
RTS = 1048576

HTTP Namespace

Namespace: HTTP.

class zlogging.enum.HTTP.Tags(value)[source]

Bases: enum.IntFlag

Enum: HTTP::Tags.

Indicate a type of attack or compromise in the record to be logged.

EMPTY = 1
URI_SQLI = 2
POST_SQLI = 4
COOKIE_SQLI = 8

Input Namespace

Namespace: Input.

class zlogging.enum.Input.Event(value)[source]

Bases: enum.IntFlag

Enum: Input::Event.

Type that describes what kind of change occurred.

EVENT_NEW = 1
EVENT_CHANGED = 2
EVENT_REMOVED = 4
class zlogging.enum.Input.Mode(value)[source]

Bases: enum.IntFlag

Enum: Input::Mode.

Type that defines the input stream read mode.

MANUAL = 1
REREAD = 2
STREAM = 4
class zlogging.enum.Input.Reader(value)[source]

Bases: enum.IntFlag

Enum: Input::Reader.

READER_ASCII = 1
READER_BENCHMARK = 2
READER_BINARY = 4
READER_CONFIG = 8
READER_RAW = 16
READER_SQLITE = 32

Intel Namespace

Namespace: Intel.

class zlogging.enum.Intel.Type(value)[source]

Bases: enum.IntFlag

Enum: Intel::Type.

Enum type to represent various types of intelligence data.

ADDR = 1
SUBNET = 2
URL = 4
SOFTWARE = 8
EMAIL = 16
DOMAIN = 32
USER_NAME = 64
CERT_HASH = 128
PUBKEY_HASH = 256
FILE_HASH = 512
FILE_NAME = 1024
class zlogging.enum.Intel.Where(value)[source]

Bases: enum.IntFlag

Enum: Intel::Where.

Enum to represent where data came from when it was discovered. The convention is to prefix the name with IN_.

IN_ANYWHERE = 1
Conn__IN_ORIG = 2
Conn__IN_RESP = 4
Files__IN_HASH = 8
Files__IN_NAME = 16
DNS__IN_REQUEST = 32
DNS__IN_RESPONSE = 64
HTTP__IN_HOST_HEADER = 128
HTTP__IN_REFERRER_HEADER = 256
HTTP__IN_USER_AGENT_HEADER = 512
HTTP__IN_X_FORWARDED_FOR_HEADER = 1024
HTTP__IN_URL = 2048
SMTP__IN_MAIL_FROM = 4096
SMTP__IN_RCPT_TO = 8192
SMTP__IN_FROM = 16384
SMTP__IN_TO = 32768
SMTP__IN_CC = 65536
SMTP__IN_RECEIVED_HEADER = 131072
SMTP__IN_REPLY_TO = 262144
SMTP__IN_X_ORIGINATING_IP_HEADER = 524288
SMTP__IN_MESSAGE = 1048576
SSH__IN_SERVER_HOST_KEY = 2097152
SSL__IN_SERVER_NAME = 4194304
SMTP__IN_HEADER = 8388608
X509__IN_CERT = 16777216
SMB__IN_FILE_NAME = 33554432
SSH__SUCCESSFUL_LOGIN = 67108864

JSON Namespace

Namespace: JSON.

class zlogging.enum.JSON.TimestampFormat(value)[source]

Bases: enum.IntFlag

Enum: JSON::TimestampFormat.

TS_EPOCH = 1
TS_MILLIS = 2
TS_ISO8601 = 4

Known Namespace

Namespace: Known.

class zlogging.enum.Known.ModbusDeviceType(value)[source]

Bases: enum.IntFlag

Enum: Known::ModbusDeviceType.

MODBUS_MASTER = 1
MODBUS_SLAVE = 2

LoadBalancing Namespace

Namespace: LoadBalancing.

class zlogging.enum.LoadBalancing.Method(value)[source]

Bases: enum.IntFlag

Enum: LoadBalancing::Method.

AUTO_BPF = 1

Log Namespace

Namespace: Log.

class zlogging.enum.Log.ID(value)[source]

Bases: enum.IntFlag

Enum: Log::ID.

Type that defines an ID unique to each log stream. Scripts creating new log streams need to redef this enum to add their own specific log ID. The log ID implicitly determines the default name of the generated log file.

UNKNOWN = 1
PRINTLOG = 2
Broker__LOG = 4
Files__LOG = 8
Reporter__LOG = 16
Cluster__LOG = 32
Notice__LOG = 64
Notice__ALARM_LOG = 128
Weird__LOG = 256
DPD__LOG = 512
Signatures__LOG = 1024
PacketFilter__LOG = 2048
Software__LOG = 4096
Intel__LOG = 8192
Config__LOG = 16384
Tunnel__LOG = 32768
OpenFlow__LOG = 65536
NetControl__LOG = 131072
NetControl__DROP = 262144
NetControl__SHUNT = 524288
Conn__LOG = 1048576
DCE_RPC__LOG = 2097152
DHCP__LOG = 4194304
DNP3__LOG = 8388608
DNS__LOG = 16777216
FTP__LOG = 33554432
SSL__LOG = 67108864
X509__LOG = 134217728
HTTP__LOG = 268435456
IRC__LOG = 536870912
KRB__LOG = 1073741824
Modbus__LOG = 2147483648
mysql__LOG = 4294967296
NTLM__LOG = 8589934592
NTP__LOG = 17179869184
RADIUS__LOG = 34359738368
RDP__LOG = 68719476736
RFB__LOG = 137438953472
SIP__LOG = 274877906944
SNMP__LOG = 549755813888
SMB__AUTH_LOG = 1099511627776
SMB__MAPPING_LOG = 2199023255552
SMB__FILES_LOG = 4398046511104
SMTP__LOG = 8796093022208
SOCKS__LOG = 17592186044416
SSH__LOG = 35184372088832
Syslog__LOG = 70368744177664
PE__LOG = 140737488355328
NetControl__CATCH_RELEASE = 281474976710656
Unified2__LOG = 562949953421312
OCSP__LOG = 1125899906842624
Barnyard2__LOG = 2251799813685248
CaptureLoss__LOG = 4503599627370496
Traceroute__LOG = 9007199254740992
LoadedScripts__LOG = 18014398509481984
Stats__LOG = 36028797018963968
WeirdStats__LOG = 72057594037927936
Known__HOSTS_LOG = 144115188075855872
Known__SERVICES_LOG = 288230376151711744
Known__MODBUS_LOG = 576460752303423488
Modbus__REGISTER_CHANGE_LOG = 1152921504606846976
MQTT__CONNECT_LOG = 2305843009213693952
MQTT__SUBSCRIBE_LOG = 4611686018427387904
MQTT__PUBLISH_LOG = 9223372036854775808
SMB__CMD_LOG = 18446744073709551616
Known__CERTS_LOG = 36893488147419103232
ZeekygenExample__LOG = 73786976294838206464
class zlogging.enum.Log.PrintLogType(value)[source]

Bases: enum.IntFlag

Enum: Log::PrintLogType.

Configurations for Log::print_to_log.

REDIRECT_NONE = 1
REDIRECT_STDOUT = 2
REDIRECT_ALL = 4
class zlogging.enum.Log.Writer(value)[source]

Bases: enum.IntFlag

Enum: Log::Writer.

WRITER_ASCII = 1
WRITER_NONE = 2
WRITER_SQLITE = 4

MOUNT3 Namespace

Namespace: MOUNT3.

class zlogging.enum.MOUNT3.auth_flavor_t(value)[source]

Bases: enum.IntFlag

Enum: MOUNT3::auth_flavor_t.

AUTH_NULL = 1
AUTH_UNIX = 2
AUTH_SHORT = 4
AUTH_DES = 8
class zlogging.enum.MOUNT3.proc_t(value)[source]

Bases: enum.IntFlag

Enum: MOUNT3::proc_t.

PROC_NULL = 1
PROC_MNT = 2
PROC_DUMP = 4
PROC_UMNT = 8
PROC_UMNT_ALL = 16
PROC_EXPORT = 32
PROC_END_OF_PROCS = 64
class zlogging.enum.MOUNT3.status_t(value)[source]

Bases: enum.IntFlag

Enum: MOUNT3::status_t.

MNT3_OK = 1
MNT3ERR_PERM = 2
MNT3ERR_NOENT = 4
MNT3ERR_IO = 8
MNT3ERR_ACCES = 16
MNT3ERR_NOTDIR = 32
MNT3ERR_INVAL = 64
MNT3ERR_NAMETOOLONG = 128
MNT3ERR_NOTSUPP = 256
MNT3ERR_SERVERFAULT = 512
MOUNT3ERR_UNKNOWN = 1024

MQTT Namespace

Namespace: MQTT.

class zlogging.enum.MQTT.SubUnsub(value)[source]

Bases: enum.IntFlag

Enum: MQTT::SubUnsub.

SUBSCRIBE = 1
UNSUBSCRIBE = 2

NFS3 Namespace

Namespace: NFS3.

class zlogging.enum.NFS3.createmode_t(value)[source]

Bases: enum.IntFlag

Enum: NFS3::createmode_t.

UNCHECKED = 1
GUARDED = 2
EXCLUSIVE = 4
class zlogging.enum.NFS3.file_type_t(value)[source]

Bases: enum.IntFlag

Enum: NFS3::file_type_t.

FTYPE_REG = 1
FTYPE_DIR = 2
FTYPE_BLK = 4
FTYPE_CHR = 8
FTYPE_LNK = 16
FTYPE_SOCK = 32
FTYPE_FIFO = 64
class zlogging.enum.NFS3.proc_t(value)[source]

Bases: enum.IntFlag

Enum: NFS3::proc_t.

PROC_NULL = 1
PROC_GETATTR = 2
PROC_SETATTR = 4
PROC_LOOKUP = 8
PROC_ACCESS = 16
PROC_READLINK = 32
PROC_READ = 64
PROC_WRITE = 128
PROC_CREATE = 256
PROC_MKDIR = 512
PROC_SYMLINK = 1024
PROC_MKNOD = 2048
PROC_REMOVE = 4096
PROC_RMDIR = 8192
PROC_RENAME = 16384
PROC_LINK = 32768
PROC_READDIR = 65536
PROC_READDIRPLUS = 131072
PROC_FSSTAT = 262144
PROC_FSINFO = 524288
PROC_PATHCONF = 1048576
PROC_COMMIT = 2097152
PROC_END_OF_PROCS = 4194304
class zlogging.enum.NFS3.stable_how_t(value)[source]

Bases: enum.IntFlag

Enum: NFS3::stable_how_t.

UNSTABLE = 1
DATA_SYNC = 2
FILE_SYNC = 4
class zlogging.enum.NFS3.status_t(value)[source]

Bases: enum.IntFlag

Enum: NFS3::status_t.

NFS3ERR_OK = 1
NFS3ERR_PERM = 2
NFS3ERR_NOENT = 4
NFS3ERR_IO = 8
NFS3ERR_NXIO = 16
NFS3ERR_ACCES = 32
NFS3ERR_EXIST = 64
NFS3ERR_XDEV = 128
NFS3ERR_NODEV = 256
NFS3ERR_NOTDIR = 512
NFS3ERR_ISDIR = 1024
NFS3ERR_INVAL = 2048
NFS3ERR_FBIG = 4096
NFS3ERR_NOSPC = 8192
NFS3ERR_ROFS = 16384
NFS3ERR_MLINK = 32768
NFS3ERR_NAMETOOLONG = 65536
NFS3ERR_NOTEMPTY = 131072
NFS3ERR_DQUOT = 262144
NFS3ERR_STALE = 524288
NFS3ERR_REMOTE = 1048576
NFS3ERR_BADHANDLE = 2097152
NFS3ERR_NOT_SYNC = 4194304
NFS3ERR_BAD_COOKIE = 8388608
NFS3ERR_NOTSUPP = 16777216
NFS3ERR_TOOSMALL = 33554432
NFS3ERR_SERVERFAULT = 67108864
NFS3ERR_BADTYPE = 134217728
NFS3ERR_JUKEBOX = 268435456
NFS3ERR_UNKNOWN = 536870912
class zlogging.enum.NFS3.time_how_t(value)[source]

Bases: enum.IntFlag

Enum: NFS3::time_how_t.

DONT_CHANGE = 1
SET_TO_SERVER_TIME = 2
SET_TO_CLIENT_TIME = 4

NetControl Namespace

Namespace: NetControl.

class zlogging.enum.NetControl.InfoCategory(value)[source]

Bases: enum.IntFlag

Enum: NetControl::InfoCategory.

Type of an entry in the NetControl log.

MESSAGE = 1
ERROR = 2
RULE = 4
class zlogging.enum.NetControl.InfoState(value)[source]

Bases: enum.IntFlag

Enum: NetControl::InfoState.

State of an entry in the NetControl log.

REQUESTED = 1
SUCCEEDED = 2
EXISTS = 4
FAILED = 8
REMOVED = 16
TIMEOUT = 32
class zlogging.enum.NetControl.EntityType(value)[source]

Bases: enum.IntFlag

Enum: NetControl::EntityType.

Type defining the entity that a rule applies to.

ADDRESS = 1
CONNECTION = 2
FLOW = 4
MAC = 8
class zlogging.enum.NetControl.RuleType(value)[source]

Bases: enum.IntFlag

Enum: NetControl::RuleType.

Type of rules that the framework supports. Each type lists the extra NetControl::Rule fields it uses, if any.

Plugins may extend this type to define their own.

DROP = 1
MODIFY = 2
REDIRECT = 4
WHITELIST = 8
class zlogging.enum.NetControl.TargetType(value)[source]

Bases: enum.IntFlag

Enum: NetControl::TargetType.

Type defining the target of a rule.

Rules can either be applied to the forward path, affecting all network traffic, or on the monitor path, only affecting the traffic that is sent to Zeek. The second is mostly used for shunting, which allows Zeek to tell the networking hardware that it wants to no longer see traffic that it identified as benign.

FORWARD = 1
MONITOR = 2
class zlogging.enum.NetControl.CatchReleaseActions(value)[source]

Bases: enum.IntFlag

Enum: NetControl::CatchReleaseActions.

The enum that contains the different kinds of messages that are logged by catch and release.

INFO = 1
ADDED = 2
DROP = 4
DROPPED = 8
UNBLOCK = 16
FORGOTTEN = 32
SEEN_AGAIN = 64

Notice Namespace

Namespace: Notice.

class zlogging.enum.Notice.Action(value)[source]

Bases: enum.IntFlag

Enum: Notice::Action.

These are values representing actions that can be taken with notices.

ACTION_NONE = 1
ACTION_LOG = 2
ACTION_EMAIL = 4
ACTION_ALARM = 8
ACTION_EMAIL_ADMIN = 16
ACTION_PAGE = 32
ACTION_ADD_GEODATA = 64
ACTION_DROP = 128
class zlogging.enum.Notice.Type(value)[source]

Bases: enum.IntFlag

Enum: Notice::Type.

Scripts creating new notices need to redef this enum to add their own specific notice types which would then get used when they call the NOTICE function. The convention is to give a general category along with the specific notice separating words with underscores and using leading capitals on each word except for abbreviations which are kept in all capitals. For example, SSH::Password_Guessing is for hosts that have crossed a threshold of failed SSH logins.

Tally = 1
Weird__Activity = 2
Signatures__Sensitive_Signature = 4
Signatures__Multiple_Signatures = 8
Signatures__Multiple_Sig_Responders = 16
Signatures__Count_Signature = 32
Signatures__Signature_Summary = 64
PacketFilter__Compile_Failure = 128
PacketFilter__Install_Failure = 256
PacketFilter__Too_Long_To_Compile_Filter = 512
PacketFilter__Dropped_Packets = 1024
ProtocolDetector__Protocol_Found = 2048
ProtocolDetector__Server_Found = 4096
Intel__Notice = 8192
TeamCymruMalwareHashRegistry__Match = 16384
PacketFilter__No_More_Conn_Shunts_Available = 32768
PacketFilter__Cannot_BPF_Shunt_Conn = 65536
Software__Software_Version_Change = 131072
Software__Vulnerable_Version = 262144
CaptureLoss__Too_Much_Loss = 524288
Traceroute__Detected = 1048576
Scan__Address_Scan = 2097152
Scan__Port_Scan = 4194304
Conn__Retransmission_Inconsistency = 8388608
Conn__Content_Gap = 16777216
DNS__External_Name = 33554432
FTP__Bruteforcing = 67108864
FTP__Site_Exec_Success = 134217728
HTTP__SQL_Injection_Attacker = 268435456
HTTP__SQL_Injection_Victim = 536870912
SMTP__Blocklist_Error_Message = 1073741824
SMTP__Blocklist_Blocked_Host = 2147483648
SMTP__Suspicious_Origination = 4294967296
SSH__Password_Guessing = 8589934592
SSH__Login_By_Password_Guesser = 17179869184
SSH__Watched_Country_Login = 34359738368
SSH__Interesting_Hostname_Login = 68719476736
SSL__Certificate_Expired = 137438953472
SSL__Certificate_Expires_Soon = 274877906944
SSL__Certificate_Not_Valid_Yet = 549755813888
Heartbleed__SSL_Heartbeat_Attack = 1099511627776
Heartbleed__SSL_Heartbeat_Attack_Success = 2199023255552
Heartbleed__SSL_Heartbeat_Odd_Length = 4398046511104
Heartbleed__SSL_Heartbeat_Many_Requests = 8796093022208
SSL__Invalid_Server_Cert = 17592186044416
SSL__Invalid_Ocsp_Response = 35184372088832
SSL__Weak_Key = 70368744177664
SSL__Old_Version = 140737488355328
SSL__Weak_Cipher = 281474976710656
ZeekygenExample__Zeekygen_One = 562949953421312
ZeekygenExample__Zeekygen_Two = 1125899906842624
ZeekygenExample__Zeekygen_Three = 2251799813685248
ZeekygenExample__Zeekygen_Four = 4503599627370496

OpenFlow Namespace

Namespace: OpenFlow.

class zlogging.enum.OpenFlow.ofp_action_type(value)[source]

Bases: enum.IntFlag

Enum: OpenFlow::ofp_action_type.

Openflow action_type definitions.

The openflow action type defines what actions openflow can take to modify a packet.

OFPAT_OUTPUT = 1
OFPAT_SET_VLAN_VID = 2
OFPAT_SET_VLAN_PCP = 4
OFPAT_STRIP_VLAN = 8
OFPAT_SET_DL_SRC = 16
OFPAT_SET_DL_DST = 32
OFPAT_SET_NW_SRC = 64
OFPAT_SET_NW_DST = 128
OFPAT_SET_NW_TOS = 256
OFPAT_SET_TP_SRC = 512
OFPAT_SET_TP_DST = 1024
OFPAT_ENQUEUE = 2048
OFPAT_VENDOR = 4096
class zlogging.enum.OpenFlow.ofp_config_flags(value)[source]

Bases: enum.IntFlag

Enum: OpenFlow::ofp_config_flags.

Openflow config flag definitions.

TODO: describe.

OFPC_FRAG_NORMAL = 1
OFPC_FRAG_DROP = 2
OFPC_FRAG_REASM = 4
OFPC_FRAG_MASK = 8
class zlogging.enum.OpenFlow.ofp_flow_mod_command(value)[source]

Bases: enum.IntFlag

Enum: OpenFlow::ofp_flow_mod_command.

Openflow flow_mod_command definitions.

The openflow flow_mod_command describes of what kind an action is.

OFPFC_ADD = 1
OFPFC_MODIFY = 2
OFPFC_MODIFY_STRICT = 4
OFPFC_DELETE = 8
OFPFC_DELETE_STRICT = 16
class zlogging.enum.OpenFlow.Plugin(value)[source]

Bases: enum.IntFlag

Enum: OpenFlow::Plugin.

Available openflow plugins.

INVALID = 1
RYU = 2
OFLOG = 4
BROKER = 8

ProtocolDetector Namespace

Namespace: ProtocolDetector.

class zlogging.enum.ProtocolDetector.dir(value)[source]

Bases: enum.IntFlag

Enum: ProtocolDetector::dir.

NONE = 1
INCOMING = 2
OUTGOING = 4
BOTH = 8

Reporter Namespace

Namespace: Reporter.

class zlogging.enum.Reporter.Level(value)[source]

Bases: enum.IntFlag

Enum: Reporter::Level.

INFO = 1
WARNING = 2
ERROR = 4

SMB Namespace

Namespace: SMB.

class zlogging.enum.SMB.Action(value)[source]

Bases: enum.IntFlag

Enum: SMB::Action.

Abstracted actions for SMB file actions.

FILE_READ = 1
FILE_WRITE = 2
FILE_OPEN = 4
FILE_CLOSE = 8
FILE_DELETE = 16
FILE_RENAME = 32
FILE_SET_ATTRIBUTE = 64
PIPE_READ = 128
PIPE_WRITE = 256
PIPE_OPEN = 512
PIPE_CLOSE = 1024
PRINT_READ = 2048
PRINT_WRITE = 4096
PRINT_OPEN = 8192
PRINT_CLOSE = 16384

SOCKS Namespace

Namespace: SOCKS.

class zlogging.enum.SOCKS.RequestType(value)[source]

Bases: enum.IntFlag

Enum: SOCKS::RequestType.

CONNECTION = 1
PORT = 2
UDP_ASSOCIATE = 4

SSL Namespace

Namespace: SSL.

class zlogging.enum.SSL.SctSource(value)[source]

Bases: enum.IntFlag

Enum: SSL::SctSource.

List of the different sources for Signed Certificate Timestamp.

SCT_X509_EXT = 1
SCT_TLS_EXT = 2
SCT_OCSP_EXT = 4

Signatures Namespace

Namespace: Signatures.

class zlogging.enum.Signatures.Action(value)[source]

Bases: enum.IntFlag

Enum: Signatures::Action.

These are the default actions you can apply to signature matches. All of them write the signature record to the logging stream unless declared otherwise.

SIG_IGNORE = 1
SIG_QUIET = 2
SIG_LOG = 4
SIG_FILE_BUT_NO_SCAN = 8
SIG_ALARM = 16
SIG_ALARM_PER_ORIG = 32
SIG_ALARM_ONCE = 64
SIG_COUNT_PER_RESP = 128
SIG_SUMMARY = 256

Software Namespace

Namespace: Software.

class zlogging.enum.Software.Type(value)[source]

Bases: enum.IntFlag

Enum: Software::Type.

Scripts detecting new types of software need to redef this enum to add their own specific software types which would then be used when they create Software::Info records.

UNKNOWN = 1
OS__WINDOWS = 2
DHCP__SERVER = 4
DHCP__CLIENT = 8
FTP__CLIENT = 16
FTP__SERVER = 32
HTTP__WEB_APPLICATION = 64
HTTP__BROWSER_PLUGIN = 128
HTTP__SERVER = 256
HTTP__APPSERVER = 512
HTTP__BROWSER = 1024
MySQL__SERVER = 2048
SMTP__MAIL_CLIENT = 4096
SMTP__MAIL_SERVER = 8192
SMTP__WEBMAIL_SERVER = 16384
SSH__SERVER = 32768
SSH__CLIENT = 65536

SumStats Namespace

Namespace: SumStats.

class zlogging.enum.SumStats.Calculation(value)[source]

Bases: enum.IntFlag

Enum: SumStats::Calculation.

Type to represent the calculations that are available. The calculations are all defined as plugins.

PLACEHOLDER = 1
AVERAGE = 2
HLL_UNIQUE = 4
LAST = 8
MAX = 16
MIN = 32
SAMPLE = 64
VARIANCE = 128
STD_DEV = 256
SUM = 512
TOPK = 1024
UNIQUE = 2048

Tunnel Namespace

Namespace: Tunnel.

class zlogging.enum.Tunnel.Type(value)[source]

Bases: enum.IntFlag

Enum: Tunnel::Type.

NONE = 1
IP = 2
AYIYA = 4
TEREDO = 8
SOCKS = 16
GTPv1 = 32
HTTP = 64
GRE = 128
VXLAN = 256
class zlogging.enum.Tunnel.Action(value)[source]

Bases: enum.IntFlag

Enum: Tunnel::Action.

Types of interesting activity that can occur with a tunnel.

DISCOVER = 1
CLOSE = 2
EXPIRE = 4

Weird Namespace

Namespace: Weird.

class zlogging.enum.Weird.Action(value)[source]

Bases: enum.IntFlag

Enum: Weird::Action.

Types of actions that may be taken when handling weird activity events.

ACTION_UNSPECIFIED = 1
ACTION_IGNORE = 2
ACTION_LOG = 4
ACTION_LOG_ONCE = 8
ACTION_LOG_PER_CONN = 16
ACTION_LOG_PER_ORIG = 32
ACTION_NOTICE = 64
ACTION_NOTICE_ONCE = 128
ACTION_NOTICE_PER_CONN = 256
ACTION_NOTICE_PER_ORIG = 512

ZeekygenExample Namespace

Namespace: ZeekygenExample.

class zlogging.enum.ZeekygenExample.SimpleEnum(value)[source]

Bases: enum.IntFlag

Enum: ZeekygenExample::SimpleEnum.

Documentation for the “SimpleEnum” type goes here. It can span multiple lines.

ONE = 1
TWO = 2
THREE = 4
FOUR = 8
FIVE = 16

zeek Namespace

Namespace: zeek.

class zlogging.enum.zeek.TableChange(value)[source]

Bases: enum.IntFlag

Enum: TableChange.

TABLE_ELEMENT_NEW = 1
TABLE_ELEMENT_CHANGED = 2
TABLE_ELEMENT_REMOVED = 4
TABLE_ELEMENT_EXPIRED = 8
class zlogging.enum.zeek.layer3_proto(value)[source]

Bases: enum.IntFlag

Enum: layer3_proto.

L3_IPV4 = 1
L3_IPV6 = 2
L3_ARP = 4
L3_UNKNOWN = 8
class zlogging.enum.zeek.link_encap(value)[source]

Bases: enum.IntFlag

Enum: link_encap.

LINK_ETHERNET = 1
LINK_UNKNOWN = 2
class zlogging.enum.zeek.rpc_status(value)[source]

Bases: enum.IntFlag

Enum: rpc_status.

RPC_SUCCESS = 1
RPC_PROG_UNAVAIL = 2
RPC_PROG_MISMATCH = 4
RPC_PROC_UNAVAIL = 8
RPC_GARBAGE_ARGS = 16
RPC_SYSTEM_ERR = 32
RPC_TIMEOUT = 64
RPC_VERS_MISMATCH = 128
RPC_AUTH_ERROR = 256
RPC_UNKNOWN_ERROR = 512
class zlogging.enum.zeek.IPAddrAnonymization(value)[source]

Bases: enum.IntFlag

Enum: IPAddrAnonymization.

See also: anonymize_addr.

KEEP_ORIG_ADDR = 1
SEQUENTIALLY_NUMBERED = 2
RANDOM_MD5 = 4
PREFIX_PRESERVING_A50 = 8
PREFIX_PRESERVING_MD5 = 16
class zlogging.enum.zeek.IPAddrAnonymizationClass(value)[source]

Bases: enum.IntFlag

Enum: IPAddrAnonymizationClass.

See also: anonymize_addr.

ORIG_ADDR = 1
RESP_ADDR = 2
OTHER_ADDR = 4
class zlogging.enum.zeek.PcapFilterID(value)[source]

Bases: enum.IntFlag

Enum: PcapFilterID.

Enum type identifying dynamic BPF filters. These are used by Pcap::precompile_pcap_filter and Pcap::precompile_pcap_filter.

None = 1
PacketFilter__DefaultPcapFilter = 2
PacketFilter__FilterTester = 4
class zlogging.enum.zeek.pkt_profile_modes(value)[source]

Bases: enum.IntFlag

Enum: pkt_profile_modes.

Output modes for packet profiling information.

See also: pkt_profile_mode, pkt_profile_freq, pkt_profile_file.

PKT_PROFILE_MODE_NONE = 1
PKT_PROFILE_MODE_SECS = 2
PKT_PROFILE_MODE_PKTS = 4
PKT_PROFILE_MODE_BYTES = 8
class zlogging.enum.zeek.transport_proto(value)[source]

Bases: enum.IntFlag

Enum: transport_proto.

A connection’s transport-layer protocol. Note that Zeek uses the term “connection” broadly, using flow semantics for ICMP and UDP.

unknown_transport = 1
tcp = 2
udp = 4
icmp = 8
class zlogging.enum.zeek.Direction(value)[source]

Bases: enum.IntFlag

Enum: Direction.

INBOUND = 1
OUTBOUND = 2
BIDIRECTIONAL = 4
NO_DIRECTION = 8
class zlogging.enum.zeek.Host(value)[source]

Bases: enum.IntFlag

Enum: Host.

LOCAL_HOSTS = 1
REMOTE_HOSTS = 2
ALL_HOSTS = 4
NO_HOSTS = 8