Enum Namespace¶

Module Contents¶

Bro/Zeek enum namespace.

zlogging.enum.globals(*namespaces, bare=False)[source]¶

Generate Bro/Zeek enum namespace.

Parameters

*namespaces – Namespaces to be loaded.
bare (bool) – If True, do not load zeek namespace by default.

Keyword Arguments

bare – If True, do not load zeek namespace by default.

Returns

Global enum namespace.

Return type

dict mapping of str and Enum

Warns

BroDeprecationWarning – If bro namespace used.

Raises

ValueError – If namespace is not defined.

Note

For back-port compatibility, the bro namespace is an alias of the zeek namespace.

Namespaces¶

`Broker` Namespace¶

Namespace: Broker.

class zlogging.enum.Broker.DataType(value)[source]

Bases: enum.IntFlag

Enumerates the possible types that Broker::Data may be in terms of Zeek data types.

c.f. base/bif/data.bif.zeek

NONE = 1

BOOL = 2

INT = 4

COUNT = 8

DOUBLE = 16

STRING = 32

ADDR = 64

SUBNET = 128

PORT = 256

TIME = 512

INTERVAL = 1024

ENUM = 2048

SET = 4096

TABLE = 8192

VECTOR = 16384

class zlogging.enum.Broker.Type(value)[source]

Bases: enum.IntFlag

The type of a Broker activity being logged.

c.f. base/frameworks/broker/log.zeek

STATUS = 1

ERROR = 2

class zlogging.enum.Broker.ErrorCode(value)[source]

Bases: enum.IntFlag

Enumerates the possible error types.

c.f. base/frameworks/broker/main.zeek

NO_ERROR = 1

UNSPECIFIED = 2

PEER_INCOMPATIBLE = 4

PEER_INVALID = 8

PEER_UNAVAILABLE = 16

PEER_DISCONNECT_DURING_HANDSHAKE = 32

PEER_TIMEOUT = 64

MASTER_EXISTS = 128

NO_SUCH_MASTER = 256

NO_SUCH_KEY = 512

REQUEST_TIMEOUT = 1024

TYPE_CLASH = 2048

INVALID_DATA = 4096

BACKEND_FAILURE = 8192

STALE_DATA = 16384

CANNOT_OPEN_FILE = 32768

CANNOT_WRITE_FILE = 65536

INVALID_TOPIC_KEY = 131072

END_OF_FILE = 262144

INVALID_TAG = 524288

INVALID_STATUS = 1048576

CAF_ERROR = 2097152

class zlogging.enum.Broker.PeerStatus(value)[source]

Bases: enum.IntFlag

The possible states of a peer endpoint.

c.f. base/frameworks/broker/main.zeek

INITIALIZING = 1

CONNECTING = 2

CONNECTED = 4

PEERED = 8

DISCONNECTED = 16

RECONNECTING = 32

class zlogging.enum.Broker.BackendType(value)[source]

Bases: enum.IntFlag

Enumerates the possible storage backends.

c.f. base/frameworks/broker/store.zeek

MEMORY = 1

SQLITE = 2

ROCKSDB = 4

class zlogging.enum.Broker.QueryStatus(value)[source]

Bases: enum.IntFlag

Whether a data store query could be completed or not.

c.f. base/frameworks/broker/store.zeek

SUCCESS = 1

FAILURE = 2

`Cluster` Namespace¶

Namespace: Cluster.

class zlogging.enum.Cluster.NodeType(value)[source]

Bases: enum.IntFlag

Types of nodes that are allowed to participate in the cluster configuration.

c.f. base/frameworks/cluster/main.zeek

NONE = 1

CONTROL = 2

LOGGER = 4

MANAGER = 8

PROXY = 16

WORKER = 32

TIME_MACHINE = 64

`DCE_RPC` Namespace¶

Namespace: DCE_RPC.

class zlogging.enum.DCE_RPC.IfID(value)[source]

Bases: enum.IntFlag

c.f. base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek

unknown_if = 1

epmapper = 2

lsarpc = 4

lsa_ds = 8

mgmt = 16

netlogon = 32

samr = 64

srvsvc = 128

spoolss = 256

drs = 512

winspipe = 1024

wkssvc = 2048

oxid = 4096

ISCMActivator = 8192

class zlogging.enum.DCE_RPC.PType(value)[source]

Bases: enum.IntFlag

c.f. base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek

REQUEST = 1

PING = 2

RESPONSE = 4

FAULT = 8

WORKING = 16

NOCALL = 32

REJECT = 64

ACK = 128

CL_CANCEL = 256

FACK = 512

CANCEL_ACK = 1024

BIND = 2048

BIND_ACK = 4096

BIND_NAK = 8192

ALTER_CONTEXT = 16384

ALTER_CONTEXT_RESP = 32768

AUTH3 = 65536

SHUTDOWN = 131072

CO_CANCEL = 262144

ORPHANED = 524288

RTS = 1048576

`HTTP` Namespace¶

Namespace: HTTP.

class zlogging.enum.HTTP.Tags(value)[source]

Bases: enum.IntFlag

Indicate a type of attack or compromise in the record to be logged.

c.f. base/protocols/http/main.zeek

EMPTY = 1

URI_SQLI = 2

POST_SQLI = 4

COOKIE_SQLI = 8

`Input` Namespace¶

Namespace: Input.

class zlogging.enum.Input.Event(value)[source]

Bases: enum.IntFlag

Type that describes what kind of change occurred.

c.f. base/frameworks/input/main.zeek

EVENT_NEW = 1

EVENT_CHANGED = 2

EVENT_REMOVED = 4

class zlogging.enum.Input.Mode(value)[source]

Bases: enum.IntFlag

Type that defines the input stream read mode.

c.f. base/frameworks/input/main.zeek

MANUAL = 1

REREAD = 2

STREAM = 4

class zlogging.enum.Input.Reader(value)[source]

Bases: enum.IntFlag

c.f. base/frameworks/input/main.zeek

READER_ASCII = 1

READER_BENCHMARK = 2

READER_BINARY = 4

READER_CONFIG = 8

READER_RAW = 16

READER_SQLITE = 32

`Intel` Namespace¶

Namespace: Intel.

class zlogging.enum.Intel.Type(value)[source]

Bases: enum.IntFlag

Enum type to represent various types of intelligence data.

c.f. base/frameworks/intel/main.zeek

ADDR = 1

SUBNET = 2

URL = 4

SOFTWARE = 8

EMAIL = 16

DOMAIN = 32

USER_NAME = 64

CERT_HASH = 128

PUBKEY_HASH = 256

FILE_HASH = 512

FILE_NAME = 1024

class zlogging.enum.Intel.Where(value)[source]

Bases: enum.IntFlag

Enum to represent where data came from when it was discovered. The convention is to prefix the name with IN_.

c.f. base/frameworks/intel/main.zeek

IN_ANYWHERE = 1

Conn__IN_ORIG = 2

Conn__IN_RESP = 4

Files__IN_HASH = 8

Files__IN_NAME = 16

DNS__IN_REQUEST = 32

DNS__IN_RESPONSE = 64

HTTP__IN_HOST_HEADER = 128

HTTP__IN_REFERRER_HEADER = 256

HTTP__IN_USER_AGENT_HEADER = 512

HTTP__IN_X_FORWARDED_FOR_HEADER = 1024

HTTP__IN_URL = 2048

SMTP__IN_MAIL_FROM = 4096

SMTP__IN_RCPT_TO = 8192

SMTP__IN_FROM = 16384

SMTP__IN_TO = 32768

SMTP__IN_CC = 65536

SMTP__IN_RECEIVED_HEADER = 131072

SMTP__IN_REPLY_TO = 262144

SMTP__IN_X_ORIGINATING_IP_HEADER = 524288

SMTP__IN_MESSAGE = 1048576

SSH__IN_SERVER_HOST_KEY = 2097152

SSL__IN_SERVER_NAME = 4194304

SMTP__IN_HEADER = 8388608

X509__IN_CERT = 16777216

SMB__IN_FILE_NAME = 33554432

SSH__SUCCESSFUL_LOGIN = 67108864

`JSON` Namespace¶

Namespace: JSON.

class zlogging.enum.JSON.TimestampFormat(value)[source]

Bases: enum.IntFlag

c.f. base/init-bare.zeek

TS_EPOCH = 1

TS_MILLIS = 2

TS_ISO8601 = 4

`Known` Namespace¶

Namespace: Known.

class zlogging.enum.Known.ModbusDeviceType(value)[source]

Bases: enum.IntFlag

c.f. policy/protocols/modbus/known-masters-slaves.zeek

MODBUS_MASTER = 1

MODBUS_SLAVE = 2

`LoadBalancing` Namespace¶

Namespace: LoadBalancing.

class zlogging.enum.LoadBalancing.Method(value)[source]

Bases: enum.IntFlag

c.f. policy/misc/load-balancing.zeek

AUTO_BPF = 1

`Log` Namespace¶

Namespace: Log.

class zlogging.enum.Log.ID(value)[source]

Bases: enum.IntFlag

Type that defines an ID unique to each log stream. Scripts creating new log streams need to redef this enum to add their own specific log ID. The log ID implicitly determines the default name of the generated log file.

c.f. base/frameworks/logging/main.zeek

UNKNOWN = 1

PRINTLOG = 2

Broker__LOG = 4

Files__LOG = 8

Reporter__LOG = 16

Cluster__LOG = 32

Notice__LOG = 64

Notice__ALARM_LOG = 128

Weird__LOG = 256

DPD__LOG = 512

Signatures__LOG = 1024

PacketFilter__LOG = 2048

Software__LOG = 4096

Intel__LOG = 8192

Config__LOG = 16384

Tunnel__LOG = 32768

OpenFlow__LOG = 65536

NetControl__LOG = 131072

NetControl__DROP = 262144

NetControl__SHUNT = 524288

Conn__LOG = 1048576

DCE_RPC__LOG = 2097152

DHCP__LOG = 4194304

DNP3__LOG = 8388608

DNS__LOG = 16777216

FTP__LOG = 33554432

SSL__LOG = 67108864

X509__LOG = 134217728

HTTP__LOG = 268435456

IRC__LOG = 536870912

KRB__LOG = 1073741824

Modbus__LOG = 2147483648

mysql__LOG = 4294967296

NTLM__LOG = 8589934592

NTP__LOG = 17179869184

RADIUS__LOG = 34359738368

RDP__LOG = 68719476736

RFB__LOG = 137438953472

SIP__LOG = 274877906944

SNMP__LOG = 549755813888

SMB__AUTH_LOG = 1099511627776

SMB__MAPPING_LOG = 2199023255552

SMB__FILES_LOG = 4398046511104

SMTP__LOG = 8796093022208

SOCKS__LOG = 17592186044416

SSH__LOG = 35184372088832

Syslog__LOG = 70368744177664

PE__LOG = 140737488355328

NetControl__CATCH_RELEASE = 281474976710656

Unified2__LOG = 562949953421312

OCSP__LOG = 1125899906842624

Barnyard2__LOG = 2251799813685248

CaptureLoss__LOG = 4503599627370496

Traceroute__LOG = 9007199254740992

LoadedScripts__LOG = 18014398509481984

Stats__LOG = 36028797018963968

WeirdStats__LOG = 72057594037927936

Known__HOSTS_LOG = 144115188075855872

Known__SERVICES_LOG = 288230376151711744

Known__MODBUS_LOG = 576460752303423488

Modbus__REGISTER_CHANGE_LOG = 1152921504606846976

MQTT__CONNECT_LOG = 2305843009213693952

MQTT__SUBSCRIBE_LOG = 4611686018427387904

MQTT__PUBLISH_LOG = 9223372036854775808

SMB__CMD_LOG = 18446744073709551616

Known__CERTS_LOG = 36893488147419103232

ZeekygenExample__LOG = 73786976294838206464

class zlogging.enum.Log.PrintLogType(value)[source]

Bases: enum.IntFlag

Configurations for Log::print_to_log

c.f. base/frameworks/logging/main.zeek

REDIRECT_NONE = 1

REDIRECT_STDOUT = 2

REDIRECT_ALL = 4

class zlogging.enum.Log.Writer(value)[source]

Bases: enum.IntFlag

c.f. base/frameworks/logging/main.zeek

WRITER_ASCII = 1

WRITER_NONE = 2

WRITER_SQLITE = 4

`MOUNT3` Namespace¶

Namespace: MOUNT3.

class zlogging.enum.MOUNT3.auth_flavor_t(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

AUTH_NULL = 1

AUTH_UNIX = 2

AUTH_SHORT = 4

AUTH_DES = 8

class zlogging.enum.MOUNT3.proc_t(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

PROC_NULL = 1

PROC_MNT = 2

PROC_DUMP = 4

PROC_UMNT = 8

PROC_UMNT_ALL = 16

PROC_EXPORT = 32

PROC_END_OF_PROCS = 64

class zlogging.enum.MOUNT3.status_t(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

MNT3_OK = 1

MNT3ERR_PERM = 2

MNT3ERR_NOENT = 4

MNT3ERR_IO = 8

MNT3ERR_ACCES = 16

MNT3ERR_NOTDIR = 32

MNT3ERR_INVAL = 64

MNT3ERR_NAMETOOLONG = 128

MNT3ERR_NOTSUPP = 256

MNT3ERR_SERVERFAULT = 512

MOUNT3ERR_UNKNOWN = 1024

`MQTT` Namespace¶

Namespace: MQTT.

class zlogging.enum.MQTT.SubUnsub(value)[source]

Bases: enum.IntFlag

c.f. policy/protocols/mqtt/main.zeek

SUBSCRIBE = 1

UNSUBSCRIBE = 2

`NFS3` Namespace¶

Namespace: NFS3.

class zlogging.enum.NFS3.createmode_t(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

UNCHECKED = 1

GUARDED = 2

EXCLUSIVE = 4

class zlogging.enum.NFS3.file_type_t(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

FTYPE_REG = 1

FTYPE_DIR = 2

FTYPE_BLK = 4

FTYPE_CHR = 8

FTYPE_LNK = 16

FTYPE_SOCK = 32

FTYPE_FIFO = 64

class zlogging.enum.NFS3.proc_t(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

PROC_NULL = 1

PROC_GETATTR = 2

PROC_SETATTR = 4

PROC_LOOKUP = 8

PROC_ACCESS = 16

PROC_READLINK = 32

PROC_READ = 64

PROC_WRITE = 128

PROC_CREATE = 256

PROC_MKDIR = 512

PROC_SYMLINK = 1024

PROC_MKNOD = 2048

PROC_REMOVE = 4096

PROC_RMDIR = 8192

PROC_RENAME = 16384

PROC_LINK = 32768

PROC_READDIR = 65536

PROC_READDIRPLUS = 131072

PROC_FSSTAT = 262144

PROC_FSINFO = 524288

PROC_PATHCONF = 1048576

PROC_COMMIT = 2097152

PROC_END_OF_PROCS = 4194304

class zlogging.enum.NFS3.stable_how_t(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

UNSTABLE = 1

DATA_SYNC = 2

FILE_SYNC = 4

class zlogging.enum.NFS3.status_t(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

NFS3ERR_OK = 1

NFS3ERR_PERM = 2

NFS3ERR_NOENT = 4

NFS3ERR_IO = 8

NFS3ERR_NXIO = 16

NFS3ERR_ACCES = 32

NFS3ERR_EXIST = 64

NFS3ERR_XDEV = 128

NFS3ERR_NODEV = 256

NFS3ERR_NOTDIR = 512

NFS3ERR_ISDIR = 1024

NFS3ERR_INVAL = 2048

NFS3ERR_FBIG = 4096

NFS3ERR_NOSPC = 8192

NFS3ERR_ROFS = 16384

NFS3ERR_MLINK = 32768

NFS3ERR_NAMETOOLONG = 65536

NFS3ERR_NOTEMPTY = 131072

NFS3ERR_DQUOT = 262144

NFS3ERR_STALE = 524288

NFS3ERR_REMOTE = 1048576

NFS3ERR_BADHANDLE = 2097152

NFS3ERR_NOT_SYNC = 4194304

NFS3ERR_BAD_COOKIE = 8388608

NFS3ERR_NOTSUPP = 16777216

NFS3ERR_TOOSMALL = 33554432

NFS3ERR_SERVERFAULT = 67108864

NFS3ERR_BADTYPE = 134217728

NFS3ERR_JUKEBOX = 268435456

NFS3ERR_UNKNOWN = 536870912

class zlogging.enum.NFS3.time_how_t(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

DONT_CHANGE = 1

SET_TO_SERVER_TIME = 2

SET_TO_CLIENT_TIME = 4

`NetControl` Namespace¶

Namespace: NetControl.

class zlogging.enum.NetControl.InfoCategory(value)[source]

Bases: enum.IntFlag

Type of an entry in the NetControl log.

c.f. base/frameworks/netcontrol/main.zeek

MESSAGE = 1

ERROR = 2

RULE = 4

class zlogging.enum.NetControl.InfoState(value)[source]

Bases: enum.IntFlag

State of an entry in the NetControl log.

c.f. base/frameworks/netcontrol/main.zeek

REQUESTED = 1

SUCCEEDED = 2

EXISTS = 4

FAILED = 8

REMOVED = 16

TIMEOUT = 32

class zlogging.enum.NetControl.EntityType(value)[source]

Bases: enum.IntFlag

Type defining the entity that a rule applies to.

c.f. base/frameworks/netcontrol/types.zeek

ADDRESS = 1

CONNECTION = 2

FLOW = 4

MAC = 8

class zlogging.enum.NetControl.RuleType(value)[source]

Bases: enum.IntFlag

Type of rules that the framework supports. Each type lists the extra NetControl::Rule fields it uses, if any.

Plugins may extend this type to define their own.

c.f. base/frameworks/netcontrol/types.zeek

DROP = 1

MODIFY = 2

REDIRECT = 4

WHITELIST = 8

class zlogging.enum.NetControl.TargetType(value)[source]

Bases: enum.IntFlag

Type defining the target of a rule.

Rules can either be applied to the forward path, affecting all network traffic, or on the monitor path, only affecting the traffic that is sent to Zeek. The second is mostly used for shunting, which allows Zeek to tell the networking hardware that it wants to no longer see traffic that it identified as benign.

c.f. base/frameworks/netcontrol/types.zeek

FORWARD = 1

MONITOR = 2

class zlogging.enum.NetControl.CatchReleaseActions(value)[source]

Bases: enum.IntFlag

The enum that contains the different kinds of messages that are logged by catch and release.

c.f. policy/frameworks/netcontrol/catch-and-release.zeek

INFO = 1

ADDED = 2

DROP = 4

DROPPED = 8

UNBLOCK = 16

FORGOTTEN = 32

SEEN_AGAIN = 64

`Notice` Namespace¶

Namespace: Notice.

class zlogging.enum.Notice.Action(value)[source]

Bases: enum.IntFlag

These are values representing actions that can be taken with notices.

c.f. base/frameworks/notice/main.zeek

ACTION_NONE = 1

ACTION_LOG = 2

ACTION_EMAIL = 4

ACTION_ALARM = 8

ACTION_EMAIL_ADMIN = 16

ACTION_PAGE = 32

ACTION_ADD_GEODATA = 64

ACTION_DROP = 128

class zlogging.enum.Notice.Type(value)[source]

Bases: enum.IntFlag

Scripts creating new notices need to redef this enum to add their own specific notice types which would then get used when they call the NOTICE function. The convention is to give a general category along with the specific notice separating words with underscores and using leading capitals on each word except for abbreviations which are kept in all capitals. For example, SSH::Password_Guessing is for hosts that have crossed a threshold of failed SSH logins.

c.f. base/frameworks/notice/main.zeek

Tally = 1

Weird__Activity = 2

Signatures__Sensitive_Signature = 4

Signatures__Multiple_Signatures = 8

Signatures__Multiple_Sig_Responders = 16

Signatures__Count_Signature = 32

Signatures__Signature_Summary = 64

PacketFilter__Compile_Failure = 128

PacketFilter__Install_Failure = 256

PacketFilter__Too_Long_To_Compile_Filter = 512

PacketFilter__Dropped_Packets = 1024

ProtocolDetector__Protocol_Found = 2048

ProtocolDetector__Server_Found = 4096

Intel__Notice = 8192

TeamCymruMalwareHashRegistry__Match = 16384

PacketFilter__No_More_Conn_Shunts_Available = 32768

PacketFilter__Cannot_BPF_Shunt_Conn = 65536

Software__Software_Version_Change = 131072

Software__Vulnerable_Version = 262144

CaptureLoss__Too_Much_Loss = 524288

Traceroute__Detected = 1048576

Scan__Address_Scan = 2097152

Scan__Port_Scan = 4194304

Conn__Retransmission_Inconsistency = 8388608

Conn__Content_Gap = 16777216

DNS__External_Name = 33554432

FTP__Bruteforcing = 67108864

FTP__Site_Exec_Success = 134217728

HTTP__SQL_Injection_Attacker = 268435456

HTTP__SQL_Injection_Victim = 536870912

SMTP__Blocklist_Error_Message = 1073741824

SMTP__Blocklist_Blocked_Host = 2147483648

SMTP__Suspicious_Origination = 4294967296

SSH__Password_Guessing = 8589934592

SSH__Login_By_Password_Guesser = 17179869184

SSH__Watched_Country_Login = 34359738368

SSH__Interesting_Hostname_Login = 68719476736

SSL__Certificate_Expired = 137438953472

SSL__Certificate_Expires_Soon = 274877906944

SSL__Certificate_Not_Valid_Yet = 549755813888

Heartbleed__SSL_Heartbeat_Attack = 1099511627776

Heartbleed__SSL_Heartbeat_Attack_Success = 2199023255552

Heartbleed__SSL_Heartbeat_Odd_Length = 4398046511104

Heartbleed__SSL_Heartbeat_Many_Requests = 8796093022208

SSL__Invalid_Server_Cert = 17592186044416

SSL__Invalid_Ocsp_Response = 35184372088832

SSL__Weak_Key = 70368744177664

SSL__Old_Version = 140737488355328

SSL__Weak_Cipher = 281474976710656

ZeekygenExample__Zeekygen_One = 562949953421312

ZeekygenExample__Zeekygen_Two = 1125899906842624

ZeekygenExample__Zeekygen_Three = 2251799813685248

ZeekygenExample__Zeekygen_Four = 4503599627370496

`OpenFlow` Namespace¶

Namespace: OpenFlow.

class zlogging.enum.OpenFlow.ofp_action_type(value)[source]

Bases: enum.IntFlag

Openflow action_type definitions.

The openflow action type defines what actions openflow can take to modify a packet

c.f. base/frameworks/openflow/consts.zeek

OFPAT_OUTPUT = 1

OFPAT_SET_VLAN_VID = 2

OFPAT_SET_VLAN_PCP = 4

OFPAT_STRIP_VLAN = 8

OFPAT_SET_DL_SRC = 16

OFPAT_SET_DL_DST = 32

OFPAT_SET_NW_SRC = 64

OFPAT_SET_NW_DST = 128

OFPAT_SET_NW_TOS = 256

OFPAT_SET_TP_SRC = 512

OFPAT_SET_TP_DST = 1024

OFPAT_ENQUEUE = 2048

OFPAT_VENDOR = 4096

class zlogging.enum.OpenFlow.ofp_config_flags(value)[source]

Bases: enum.IntFlag

Openflow config flag definitions.

TODO: describe

c.f. base/frameworks/openflow/consts.zeek

OFPC_FRAG_NORMAL = 1

OFPC_FRAG_DROP = 2

OFPC_FRAG_REASM = 4

OFPC_FRAG_MASK = 8

class zlogging.enum.OpenFlow.ofp_flow_mod_command(value)[source]

Bases: enum.IntFlag

Openflow flow_mod_command definitions.

The openflow flow_mod_command describes of what kind an action is.

c.f. base/frameworks/openflow/consts.zeek

OFPFC_ADD = 1

OFPFC_MODIFY = 2

OFPFC_MODIFY_STRICT = 4

OFPFC_DELETE = 8

OFPFC_DELETE_STRICT = 16

class zlogging.enum.OpenFlow.Plugin(value)[source]

Bases: enum.IntFlag

Available openflow plugins.

c.f. base/frameworks/openflow/types.zeek

INVALID = 1

RYU = 2

OFLOG = 4

BROKER = 8

`ProtocolDetector` Namespace¶

Namespace: ProtocolDetector.

class zlogging.enum.ProtocolDetector.dir(value)[source]

Bases: enum.IntFlag

c.f. policy/frameworks/dpd/detect-protocols.zeek

NONE = 1

INCOMING = 2

OUTGOING = 4

BOTH = 8

`Reporter` Namespace¶

Namespace: Reporter.

class zlogging.enum.Reporter.Level(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

INFO = 1

WARNING = 2

ERROR = 4

`SMB` Namespace¶

Namespace: SMB.

class zlogging.enum.SMB.Action(value)[source]

Bases: enum.IntFlag

Abstracted actions for SMB file actions.

c.f. base/protocols/smb/main.zeek

FILE_READ = 1

FILE_WRITE = 2

FILE_OPEN = 4

FILE_CLOSE = 8

FILE_DELETE = 16

FILE_RENAME = 32

FILE_SET_ATTRIBUTE = 64

PIPE_READ = 128

PIPE_WRITE = 256

PIPE_OPEN = 512

PIPE_CLOSE = 1024

PRINT_READ = 2048

PRINT_WRITE = 4096

PRINT_OPEN = 8192

PRINT_CLOSE = 16384

`SOCKS` Namespace¶

Namespace: SOCKS.

class zlogging.enum.SOCKS.RequestType(value)[source]

Bases: enum.IntFlag

c.f. base/protocols/socks/consts.zeek

CONNECTION = 1

PORT = 2

UDP_ASSOCIATE = 4

`SSL` Namespace¶

Namespace: SSL.

class zlogging.enum.SSL.SctSource(value)[source]

Bases: enum.IntFlag

List of the different sources for Signed Certificate Timestamp

c.f. policy/protocols/ssl/validate-sct.zeek

SCT_X509_EXT = 1

SCT_TLS_EXT = 2

SCT_OCSP_EXT = 4

`Signatures` Namespace¶

Namespace: Signatures.

class zlogging.enum.Signatures.Action(value)[source]

Bases: enum.IntFlag

These are the default actions you can apply to signature matches. All of them write the signature record to the logging stream unless declared otherwise.

c.f. base/frameworks/signatures/main.zeek

SIG_IGNORE = 1

SIG_QUIET = 2

SIG_LOG = 4

SIG_FILE_BUT_NO_SCAN = 8

SIG_ALARM = 16

SIG_ALARM_PER_ORIG = 32

SIG_ALARM_ONCE = 64

SIG_COUNT_PER_RESP = 128

SIG_SUMMARY = 256

`Software` Namespace¶

Namespace: Software.

class zlogging.enum.Software.Type(value)[source]

Bases: enum.IntFlag

Scripts detecting new types of software need to redef this enum to add their own specific software types which would then be used when they create Software::Info records.

c.f. base/frameworks/software/main.zeek

UNKNOWN = 1

OS__WINDOWS = 2

DHCP__SERVER = 4

DHCP__CLIENT = 8

FTP__CLIENT = 16

FTP__SERVER = 32

HTTP__WEB_APPLICATION = 64

HTTP__BROWSER_PLUGIN = 128

HTTP__SERVER = 256

HTTP__APPSERVER = 512

HTTP__BROWSER = 1024

MySQL__SERVER = 2048

SMTP__MAIL_CLIENT = 4096

SMTP__MAIL_SERVER = 8192

SMTP__WEBMAIL_SERVER = 16384

SSH__SERVER = 32768

SSH__CLIENT = 65536

`SumStats` Namespace¶

Namespace: SumStats.

class zlogging.enum.SumStats.Calculation(value)[source]

Bases: enum.IntFlag

Type to represent the calculations that are available. The calculations are all defined as plugins.

c.f. base/frameworks/sumstats/main.zeek

PLACEHOLDER = 1

AVERAGE = 2

HLL_UNIQUE = 4

LAST = 8

MAX = 16

MIN = 32

SAMPLE = 64

VARIANCE = 128

STD_DEV = 256

SUM = 512

TOPK = 1024

UNIQUE = 2048

`Tunnel` Namespace¶

Namespace: Tunnel.

class zlogging.enum.Tunnel.Type(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

NONE = 1

IP = 2

AYIYA = 4

TEREDO = 8

SOCKS = 16

GTPv1 = 32

HTTP = 64

GRE = 128

VXLAN = 256

class zlogging.enum.Tunnel.Action(value)[source]

Bases: enum.IntFlag

Types of interesting activity that can occur with a tunnel.

c.f. base/frameworks/tunnels/main.zeek

DISCOVER = 1

CLOSE = 2

EXPIRE = 4

`Weird` Namespace¶

Namespace: Weird.

class zlogging.enum.Weird.Action(value)[source]

Bases: enum.IntFlag

Types of actions that may be taken when handling weird activity events.

c.f. base/frameworks/notice/weird.zeek

ACTION_UNSPECIFIED = 1

ACTION_IGNORE = 2

ACTION_LOG = 4

ACTION_LOG_ONCE = 8

ACTION_LOG_PER_CONN = 16

ACTION_LOG_PER_ORIG = 32

ACTION_NOTICE = 64

ACTION_NOTICE_ONCE = 128

ACTION_NOTICE_PER_CONN = 256

ACTION_NOTICE_PER_ORIG = 512

`ZeekygenExample` Namespace¶

Namespace: ZeekygenExample.

class zlogging.enum.ZeekygenExample.SimpleEnum(value)[source]

Bases: enum.IntFlag

Documentation for the “SimpleEnum” type goes here. It can span multiple lines.

c.f. zeekygen/example.zeek

ONE = 1

TWO = 2

THREE = 4

FOUR = 8

FIVE = 16

`zeek` Namespace¶

Namespace: zeek.

class zlogging.enum.zeek.TableChange(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

TABLE_ELEMENT_NEW = 1

TABLE_ELEMENT_CHANGED = 2

TABLE_ELEMENT_REMOVED = 4

TABLE_ELEMENT_EXPIRED = 8

class zlogging.enum.zeek.layer3_proto(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

L3_IPV4 = 1

L3_IPV6 = 2

L3_ARP = 4

L3_UNKNOWN = 8

class zlogging.enum.zeek.link_encap(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

LINK_ETHERNET = 1

LINK_UNKNOWN = 2

class zlogging.enum.zeek.rpc_status(value)[source]

Bases: enum.IntFlag

c.f. base/bif/types.bif.zeek

RPC_SUCCESS = 1

RPC_PROG_UNAVAIL = 2

RPC_PROG_MISMATCH = 4

RPC_PROC_UNAVAIL = 8

RPC_GARBAGE_ARGS = 16

RPC_SYSTEM_ERR = 32

RPC_TIMEOUT = 64

RPC_VERS_MISMATCH = 128

RPC_AUTH_ERROR = 256

RPC_UNKNOWN_ERROR = 512

class zlogging.enum.zeek.IPAddrAnonymization(value)[source]

Bases: enum.IntFlag

Enum Namespace¶

Module Contents¶

Namespaces¶

`Broker` Namespace¶

`Cluster` Namespace¶

`DCE_RPC` Namespace¶

`HTTP` Namespace¶

`Input` Namespace¶

`Intel` Namespace¶

`JSON` Namespace¶

`Known` Namespace¶

`LoadBalancing` Namespace¶

`Log` Namespace¶

`MOUNT3` Namespace¶

`MQTT` Namespace¶

`NFS3` Namespace¶

`NetControl` Namespace¶

`Notice` Namespace¶

`OpenFlow` Namespace¶

`ProtocolDetector` Namespace¶

`Reporter` Namespace¶

`SMB` Namespace¶

`SOCKS` Namespace¶

`SSL` Namespace¶

`Signatures` Namespace¶

`Software` Namespace¶

`SumStats` Namespace¶

`Tunnel` Namespace¶

`Weird` Namespace¶

`ZeekygenExample` Namespace¶

`zeek` Namespace¶

ZLogging

Navigation

Related Topics

Enum Namespace¶

Module Contents¶

Namespaces¶

Broker Namespace¶

Cluster Namespace¶

DCE_RPC Namespace¶

HTTP Namespace¶

Input Namespace¶

Intel Namespace¶

JSON Namespace¶

Known Namespace¶

LoadBalancing Namespace¶

Log Namespace¶

MOUNT3 Namespace¶

MQTT Namespace¶

NFS3 Namespace¶

NetControl Namespace¶

Notice Namespace¶

OpenFlow Namespace¶

ProtocolDetector Namespace¶

Reporter Namespace¶

SMB Namespace¶

SOCKS Namespace¶

SSL Namespace¶

Signatures Namespace¶

Software Namespace¶

SumStats Namespace¶

Tunnel Namespace¶

Weird Namespace¶

ZeekygenExample Namespace¶

zeek Namespace¶

`Broker` Namespace¶

`Cluster` Namespace¶

`DCE_RPC` Namespace¶

`HTTP` Namespace¶

`Input` Namespace¶

`Intel` Namespace¶

`JSON` Namespace¶

`Known` Namespace¶

`LoadBalancing` Namespace¶

`Log` Namespace¶

`MOUNT3` Namespace¶

`MQTT` Namespace¶

`NFS3` Namespace¶

`NetControl` Namespace¶

`Notice` Namespace¶

`OpenFlow` Namespace¶

`ProtocolDetector` Namespace¶

`Reporter` Namespace¶

`SMB` Namespace¶

`SOCKS` Namespace¶

`SSL` Namespace¶

`Signatures` Namespace¶

`Software` Namespace¶

`SumStats` Namespace¶

`Tunnel` Namespace¶

`Weird` Namespace¶

`ZeekygenExample` Namespace¶

`zeek` Namespace¶