policy/protocols/conn/known-services.bro

Known

This script logs and tracks services. In the case of this script, a service is defined as an IP address and port which has responded to and fully completed a TCP handshake with another host. If a protocol is detected during the session, the protocol will also be logged.

Namespace:Known
Imports:base/utils/directions-and-hosts.bro
Source File:/scripts/policy/protocols/conn/known-services.bro

Summary

Options

Known::service_tracking: Host &redef The hosts whose services should be tracked and logged.

State Variables

Known::known_services: set &create_expire = 1.0 day &synchronized Tracks the set of daily-detected services for preventing the logging of duplicates, but can also be inspected by other scripts for different purposes.

Types

Known::ServicesInfo: record The record type which contains the column fields of the known-services log.

Redefinitions

Log::ID: enum The known-services logging stream identifier.
connection: record  

Events

Known::log_known_services: event Event that can be handled to access the Known::ServicesInfo record as it is sent on to the logging framework.

Detailed Interface

Options

Known::service_tracking
Type:Host
Attributes:&redef
Default:ALL_HOSTS

The hosts whose services should be tracked and logged. See Host for possible choices.

State Variables

Known::known_services
Type:set [addr, port]
Attributes:&create_expire = 1.0 day &synchronized
Default:{}

Tracks the set of daily-detected services for preventing the logging of duplicates, but can also be inspected by other scripts for different purposes.

Types

Known::ServicesInfo
Type:

record

ts: time &log

The time at which the service was detected.

host: addr &log

The host address on which the service is running.

port_num: port &log

The port number on which the service is running.

port_proto: transport_proto &log

The transport-layer protocol which the service uses.

service: set [string] &log

A set of protocols that match the service’s connection payloads.

The record type which contains the column fields of the known-services log.

Events

Known::log_known_services
Type:event (rec: Known::ServicesInfo)

Event that can be handled to access the Known::ServicesInfo record as it is sent on to the logging framework.

Copyright 2016, The Bro Project. Last updated on October 21, 2017. Created using Sphinx 1.5.2.