Notice Namespace¶
Namespace: Notice.
- class zlogging.enum.notice.Action(value, names=<not given>, *values, module=None, qualname=None, type=None, start=1, boundary=None)[source]
Bases:
IntFlagEnum:
Notice::Action.These are values representing actions that can be taken with notices.
See also
- ACTION_NONE = 1
Indicates that there is no action to be taken.
- ACTION_LOG = 2
Indicates that the notice should be sent to the notice logging stream.
- ACTION_EMAIL = 4
Indicates that the notice should be sent to the email address(es) configured in the Notice::mail_dest variable.
- ACTION_ALARM = 8
Indicates that the notice should be alarmed. A readable ASCII version is saved in notice_alarm log, and emailed in bulk to the address(es) configured in Notice::mail_dest.
- ACTION_DROP = 16
Indicates that the notice should result in a drop action. The exact action taken depends on loaded policy scripts; see e.g. NetControl::acld_rule_policy.
- ACTION_EMAIL_ADMIN = 32
(present if base/frameworks/notice/actions/email_admin.zeek is loaded) Indicate that the generated email should be addressed to the appropriate email addresses as found by the Site::get_emails function based on the relevant address or addresses indicated in the notice.
- ACTION_PAGE = 64
(present if base/frameworks/notice/actions/page.zeek is loaded) Indicates that the notice should be sent to the pager email address configured in the Notice::mail_page_dest variable.
- ACTION_ADD_GEODATA = 128
(present if base/frameworks/notice/actions/add-geodata.zeek is loaded) Indicates that the notice should have geodata added for the “remote” host. Site::local_nets must be defined in order for this to work.
- static _generate_next_value_(name, start, count, last_values)
Generate the next value when not given.
name: the name of the member start: the initial start value or None count: the number of existing members last_values: the last value assigned or None
- class zlogging.enum.notice.Type(value, names=<not given>, *values, module=None, qualname=None, type=None, start=1, boundary=None)[source]
Bases:
IntFlagEnum:
Notice::Type.Scripts creating new notices need to redef this enum to add their own specific notice types which would then get used when they call the
NOTICEfunction. The convention is to give a general category along with the specific notice separating words with underscores and using leading capitals on each word except for abbreviations which are kept in all capitals. For example, SSH::Password_Guessing is for hosts that have crossed a threshold of failed SSH logins.See also
- Tally = 1
Notice reporting a count of how often a notice occurred.
- Weird_Activity = 2
Weird::Activity (present if base/frameworks/notice/weird.zeek is loaded) Generic unusual but notice-worthy weird activity.
- Signatures_Sensitive_Signature = 4
Signatures::Sensitive_Signature (present if base/frameworks/signatures/main.zeek is loaded) Generic notice type for notice-worthy signature matches.
- Signatures_Multiple_Signatures = 8
Signatures::Multiple_Signatures (present if base/frameworks/signatures/main.zeek is loaded) Host has triggered many signatures on the same host. The number of signatures is defined by the Signatures::vert_scan_thresholds variable.
- Signatures_Multiple_Sig_Responders = 16
Signatures::Multiple_Sig_Responders (present if base/frameworks/signatures/main.zeek is loaded) Host has triggered the same signature on multiple hosts as defined by the Signatures::horiz_scan_thresholds variable.
- Signatures_Count_Signature = 32
Signatures::Count_Signature (present if base/frameworks/signatures/main.zeek is loaded) The same signature has triggered multiple times for a host. The number of times the signature has been triggered is defined by the Signatures::count_thresholds variable. To generate this notice, the Signatures::SIG_COUNT_PER_RESP action must be set for the signature.
- Signatures_Signature_Summary = 64
Signatures::Signature_Summary (present if base/frameworks/signatures/main.zeek is loaded) Summarize the number of times a host triggered a signature. The interval between summaries is defined by the Signatures::summary_interval variable.
- PacketFilter_Compile_Failure = 128
PacketFilter::Compile_Failure (present if base/frameworks/packet-filter/main.zeek is loaded) This notice is generated if a packet filter cannot be compiled.
- PacketFilter_Install_Failure = 256
PacketFilter::Install_Failure (present if base/frameworks/packet-filter/main.zeek is loaded) Generated if a packet filter fails to install.
- PacketFilter_Too_Long_To_Compile_Filter = 512
PacketFilter::Too_Long_To_Compile_Filter (present if base/frameworks/packet-filter/main.zeek is loaded) Generated when a notice takes too long to compile.
- PacketFilter_Dropped_Packets = 1024
PacketFilter::Dropped_Packets (present if base/frameworks/packet-filter/netstats.zeek is loaded) Indicates packets were dropped by the packet filter.
- Spicy_Spicy_Max_File_Depth_Exceeded = 2048
Spicy::Spicy_Max_File_Depth_Exceeded (present if base/frameworks/spicy/main.zeek is loaded)
- ProtocolDetector_Protocol_Found = 4096
ProtocolDetector::Protocol_Found (present if policy/frameworks/dpd/detect-protocols.zeek is loaded)
- ProtocolDetector_Server_Found = 8192
ProtocolDetector::Server_Found (present if policy/frameworks/dpd/detect-protocols.zeek is loaded)
- Intel_Notice = 16384
Intel::Notice (present if policy/frameworks/intel/do_notice.zeek is loaded) This notice is generated when an intelligence indicator is denoted to be notice-worthy.
- TeamCymruMalwareHashRegistry_Match = 32768
TeamCymruMalwareHashRegistry::Match (present if policy/frameworks/files/detect-MHR.zeek is loaded) The hash value of a file transferred over HTTP matched in the malware hash registry.
- PacketFilter_No_More_Conn_Shunts_Available = 65536
PacketFilter::No_More_Conn_Shunts_Available (present if policy/frameworks/packet-filter/shunt.zeek is loaded) Indicative that PacketFilter::max_bpf_shunts connections are already being shunted with BPF filters and no more are allowed.
- PacketFilter_Cannot_BPF_Shunt_Conn = 131072
PacketFilter::Cannot_BPF_Shunt_Conn (present if policy/frameworks/packet-filter/shunt.zeek is loaded) Limitations in BPF make shunting some connections with BPF impossible. This notice encompasses those various cases.
- Software_Software_Version_Change = 262144
Software::Software_Version_Change (present if policy/frameworks/software/version-changes.zeek is loaded) For certain software, a version changing may matter. In that case, this notice will be generated. Software that matters if the version changes can be configured with the Software::interesting_version_changes variable.
- Software_Vulnerable_Version = 524288
Software::Vulnerable_Version (present if policy/frameworks/software/vulnerable.zeek is loaded) Indicates that a vulnerable version of software was detected.
- CaptureLoss_Too_Much_Loss = 1048576
CaptureLoss::Too_Much_Loss (present if policy/misc/capture-loss.zeek is loaded) Report if the detected capture loss exceeds the percentage threshold defined in CaptureLoss::too_much_loss.
- CaptureLoss_Too_Little_Traffic = 2097152
CaptureLoss::Too_Little_Traffic (present if policy/misc/capture-loss.zeek is loaded) Report if the traffic seen by a peer within a given watch interval is less than CaptureLoss::minimum_acks.
- Traceroute_Detected = 4194304
Traceroute::Detected (present if policy/misc/detect-traceroute/main.zeek is loaded) Indicates that a host was seen running traceroutes. For more detail about specific traceroutes that we run, refer to the traceroute.log.
- Conn_Retransmission_Inconsistency = 8388608
Conn::Retransmission_Inconsistency (present if policy/protocols/conn/weirds.zeek is loaded) Possible evasion; usually just chud.
- Conn_Content_Gap = 16777216
Conn::Content_Gap (present if policy/protocols/conn/weirds.zeek is loaded) Data has sequence hole; perhaps due to filtering.
- DNS_External_Name = 33554432
DNS::External_Name (present if policy/protocols/dns/detect-external-names.zeek is loaded) Raised when a non-local name is found to be pointing at a local host. The Site::local_zones variable must be set appropriately for this detection.
- FTP_Bruteforcing = 67108864
FTP::Bruteforcing (present if policy/protocols/ftp/detect-bruteforcing.zeek is loaded) Indicates a host bruteforcing FTP logins by watching for too many rejected usernames or failed passwords.
- FTP_Site_Exec_Success = 134217728
FTP::Site_Exec_Success (present if policy/protocols/ftp/detect.zeek is loaded) Indicates that a successful response to a “SITE EXEC” command/arg pair was seen.
- HTTP_SQL_Injection_Attacker = 268435456
HTTP::SQL_Injection_Attacker (present if policy/protocols/http/detect-sqli.zeek is loaded) Indicates that a host performing SQL injection attacks was detected.
- HTTP_SQL_Injection_Victim = 536870912
HTTP::SQL_Injection_Victim (present if policy/protocols/http/detect-sqli.zeek is loaded) Indicates that a host was seen to have SQL injection attacks against it. This is tracked by IP address as opposed to hostname.
- SMTP_Blocklist_Error_Message = 1073741824
SMTP::Blocklist_Error_Message (present if policy/protocols/smtp/blocklists.zeek is loaded) An SMTP server sent a reply mentioning an SMTP block list.
- SMTP_Blocklist_Blocked_Host = 2147483648
SMTP::Blocklist_Blocked_Host (present if policy/protocols/smtp/blocklists.zeek is loaded) The originator’s address is seen in the block list error message. This is useful to detect local hosts sending SPAM with a high positive rate.
- SMTP_Suspicious_Origination = 4294967296
SMTP::Suspicious_Origination (present if policy/protocols/smtp/detect-suspicious-orig.zeek is loaded)
- SSH_Password_Guessing = 8589934592
SSH::Password_Guessing (present if policy/protocols/ssh/detect-bruteforcing.zeek is loaded) Indicates that a host has been identified as crossing the SSH::password_guesses_limit threshold with failed logins.
- SSH_Login_By_Password_Guesser = 17179869184
SSH::Login_By_Password_Guesser (present if policy/protocols/ssh/detect-bruteforcing.zeek is loaded) Indicates that a host previously identified as a “password guesser” has now had a successful login attempt. This is not currently implemented.
- SSH_Watched_Country_Login = 34359738368
SSH::Watched_Country_Login (present if policy/protocols/ssh/geo-data.zeek is loaded) If an SSH login is seen to or from a “watched” country based on the SSH::watched_countries variable then this notice will be generated.
- SSH_Interesting_Hostname_Login = 68719476736
SSH::Interesting_Hostname_Login (present if policy/protocols/ssh/interesting-hostnames.zeek is loaded) Generated if a login originates or responds with a host where the reverse hostname lookup resolves to a name matched by the SSH::interesting_hostnames regular expression.
- SSL_Certificate_Expired = 137438953472
SSL::Certificate_Expired (present if policy/protocols/ssl/expiring-certs.zeek is loaded) Indicates that a certificate’s NotValidAfter date has lapsed and the certificate is now invalid.
- SSL_Certificate_Expires_Soon = 274877906944
SSL::Certificate_Expires_Soon (present if policy/protocols/ssl/expiring-certs.zeek is loaded) Indicates that a certificate is going to expire within SSL::notify_when_cert_expiring_in.
- SSL_Certificate_Not_Valid_Yet = 549755813888
SSL::Certificate_Not_Valid_Yet (present if policy/protocols/ssl/expiring-certs.zeek is loaded) Indicates that a certificate’s NotValidBefore date is future dated.
- Heartbleed_SSL_Heartbeat_Attack = 1099511627776
Heartbleed::SSL_Heartbeat_Attack (present if policy/protocols/ssl/heartbleed.zeek is loaded) Indicates that a host performed a heartbleed attack or scan.
- Heartbleed_SSL_Heartbeat_Attack_Success = 2199023255552
Heartbleed::SSL_Heartbeat_Attack_Success (present if policy/protocols/ssl/heartbleed.zeek is loaded) Indicates that a host performing a heartbleed attack was probably successful.
- Heartbleed_SSL_Heartbeat_Odd_Length = 4398046511104
Heartbleed::SSL_Heartbeat_Odd_Length (present if policy/protocols/ssl/heartbleed.zeek is loaded) Indicates we saw heartbeat requests with odd length. Probably an attack or scan.
- Heartbleed_SSL_Heartbeat_Many_Requests = 8796093022208
Heartbleed::SSL_Heartbeat_Many_Requests (present if policy/protocols/ssl/heartbleed.zeek is loaded) Indicates we saw many heartbeat requests without a reply. Might be an attack.
- SSL_Invalid_Server_Cert = 17592186044416
SSL::Invalid_Server_Cert (present if policy/protocols/ssl/validate-certs.zeek is loaded) This notice indicates that the result of validating the certificate along with its full certificate chain was invalid.
- SSL_Invalid_Ocsp_Response = 35184372088832
SSL::Invalid_Ocsp_Response (present if policy/protocols/ssl/validate-ocsp.zeek is loaded) This indicates that the OCSP response was not deemed to be valid.
- SSL_Weak_Key = 70368744177664
SSL::Weak_Key (present if policy/protocols/ssl/weak-keys.zeek is loaded) Indicates that a server is using a potentially unsafe key.
- SSL_Old_Version = 140737488355328
SSL::Old_Version (present if policy/protocols/ssl/weak-keys.zeek is loaded) Indicates that a server is using a potentially unsafe version
- SSL_Weak_Cipher = 281474976710656
SSL::Weak_Cipher (present if policy/protocols/ssl/weak-keys.zeek is loaded) Indicates that a server is using a potentially unsafe cipher
- ZeekygenExample_Zeekygen_One = 562949953421312
ZeekygenExample::Zeekygen_One (present if zeekygen/example.zeek is loaded) Any number of this type of comment will document “Zeekygen_One”.
- ZeekygenExample_Zeekygen_Two = 1125899906842624
ZeekygenExample::Zeekygen_Two (present if zeekygen/example.zeek is loaded) Any number of this type of comment will document “ZEEKYGEN_TWO”.
- ZeekygenExample_Zeekygen_Three = 2251799813685248
ZeekygenExample::Zeekygen_Three (present if zeekygen/example.zeek is loaded)
- ZeekygenExample_Zeekygen_Four = 4503599627370496
ZeekygenExample::Zeekygen_Four (present if zeekygen/example.zeek is loaded) Omitting comments is fine, and so is mixing ## and ##<, but it’s probably best to use only one style consistently.
- static _generate_next_value_(name, start, count, last_values)
Generate the next value when not given.
name: the name of the member start: the initial start value or None count: the number of existing members last_values: the last value assigned or None
