site.zeek

Site

Definitions describing a site - which networks and DNS zones are “local” and “neighbors”, and servers running particular services.

Namespace: Site
Imports: base/utils/patterns.zeek

Summary

Runtime Options

`Site::local_admins`: `table` `&redef`	If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.
`Site::local_nets`: `set` `&redef`	Networks that are considered “local”.
`Site::local_zones`: `set` `&redef`	DNS zones that are considered “local”.
`Site::neighbor_nets`: `set` `&redef`	Networks that are considered “neighbors”.
`Site::neighbor_zones`: `set` `&redef`	DNS zones that are considered “neighbors”.
`Site::private_address_space`: `set` `&redef`	A list of subnets that are considered private address space.

Redefinable Options

Site::private_address_space_is_local: bool &redef

Whether Zeek should automatically consider private address ranges “local”.

State Variables

Site::local_nets_table: table

This is used for retrieving the subnet when using multiple entries in Site::local_nets.

Functions

`Site::get_emails`: `function`	Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument.
`Site::is_local_addr`: `function`	Function that returns true if an address corresponds to one of the local networks, false if not.
`Site::is_local_name`: `function`	Function that returns true if a host name is within a local DNS zone.
`Site::is_neighbor_addr`: `function`	Function that returns true if an address corresponds to one of the neighbor networks, false if not.
`Site::is_neighbor_name`: `function`	Function that returns true if a host name is within a neighbor DNS zone.
`Site::is_private_addr`: `function`	Function that returns true if an address corresponds to one of the private/unrouted networks, false if not.

Detailed Interface

Runtime Options

Site::local_admins 

Type: table [subnet] of set [string]
Attributes: &redef
Default: {}

If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.

Site::local_nets 

Type: set [subnet]
Attributes: &redef
Default: {}

Networks that are considered “local”. Note that ZeekControl sets this automatically.

Site::local_zones 

Type: set [string]
Attributes: &redef
Default: {}

DNS zones that are considered “local”.

Site::neighbor_nets 

Type: set [subnet]
Attributes: &redef
Default: {}

Networks that are considered “neighbors”.

Site::neighbor_zones 

Type: set [string]
Attributes: &redef
Default: {}

DNS zones that are considered “neighbors”.

Site::private_address_space 

Type

set [subnet]

Attributes

&redef

Default

{
ff9b:1::/48,
18.0.0/15,
   fc00::/7,
64.0.0/10,
   ::/128,
ffff:ffff::/48,
   ::1/128,
cb00:7100::/40,
0.0.0/4,
c633:6400::/40,
a00::/24,
:/64,
255.255.255/32,
0.0.0/24,
0.0.0/8,
2::/48,
c000:200::/40,
16.0.0/12,
f000::/20,
7f00::/24,
:/23,
6440::/26,
c000::/40,
0.0.0/8,
0.0.0/8,
0.2.0/24,
168.0.0/16,
ac10::/28,
a9fe::/32,
c612::/31,
254.0.0/16,
:/24,
   fe80::/10,
db8::/32,
0.113.0/24,
c0a8::/32,
51.100.0/24
}

A list of subnets that are considered private address space.

By default, it has address blocks defined by IANA as not being routable over the Internet. Some address blocks are reserved for purposes inconsistent with the address architecture (such as 5f00::/16), making them neither clearly private nor routable. We do not include such blocks in this list.

See the IPv4 Special-Purpose Address Registry and the IPv6 Special-Purpose Address Registry

Redefinable Options

Site::private_address_space_is_local 

Type: bool
Attributes: &redef
Default: T

Whether Zeek should automatically consider private address ranges “local”. On by default, this setting ensures that the initial value of Site::private_address_space as well as any later updates to it get copied over into Site::local_nets.

State Variables

Site::local_nets_table 

Type: table [subnet] of subnet
Default: {}

This is used for retrieving the subnet when using multiple entries in Site::local_nets. It’s populated automatically from there. A membership query can be done with an addr and the table will yield the subnet it was found within.

Functions

Site::get_emails 

Type: function (a: addr) : string

Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument. The function inspects Site::local_admins.

Site::is_local_addr 

Type: function (a: addr) : bool

Function that returns true if an address corresponds to one of the local networks, false if not. The function inspects Site::local_nets.

Site::is_local_name 

Type: function (name: string) : bool

Function that returns true if a host name is within a local DNS zone. The function inspects Site::local_zones.

Site::is_neighbor_addr 

Type: function (a: addr) : bool

Function that returns true if an address corresponds to one of the neighbor networks, false if not. The function inspects Site::neighbor_nets.

Site::is_neighbor_name 

Type: function (name: string) : bool

Function that returns true if a host name is within a neighbor DNS zone. The function inspects Site::neighbor_zones.

Site::is_private_addr 

Type: function (a: addr) : bool

Function that returns true if an address corresponds to one of the private/unrouted networks, false if not. The function inspects Site::private_address_space.