Contents
Analyzer::Tag
Type: |
|
---|
ARP Parsing
arp_request
Type: | event (mac_src: string , mac_dst: string , SPA: addr , SHA: string , TPA: addr , THA: string ) |
---|
Generated for ARP requests.
See Wikipedia for more information about the ARP protocol.
Mac_src: | The request’s source MAC address. |
---|---|
Mac_dst: | The request’s destination MAC address. |
SPA: | The sender protocol address. |
SHA: | The sender hardware address. |
TPA: | The target protocol address. |
THA: | The target hardware address. |
arp_reply
Type: | event (mac_src: string , mac_dst: string , SPA: addr , SHA: string , TPA: addr , THA: string ) |
---|
Generated for ARP replies.
See Wikipedia for more information about the ARP protocol.
Mac_src: | The reply’s source MAC address. |
---|---|
Mac_dst: | The reply’s destination MAC address. |
SPA: | The sender protocol address. |
SHA: | The sender hardware address. |
TPA: | The target protocol address. |
THA: | The target hardware address. |
See also: arp_request
, bad_arp
bad_arp
Type: | event (SPA: addr , SHA: string , TPA: addr , THA: string , explanation: string ) |
---|
Generated for ARP packets that Bro cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.
SPA: | The sender protocol address. |
---|---|
SHA: | The sender hardware address. |
TPA: | The target protocol address. |
THA: | The target hardware address. |
Explanation: | A short description of why the ARP packet is considered “bad”. |
See also: arp_reply
, arp_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Backdoor Analyzer deprecated
backdoor_stats
Type: | event (c: connection , os: backdoor_endp_stats , rs: backdoor_endp_stats ) |
---|
Deprecated. Will be removed.
backdoor_remove_conn
Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
ftp_signature_found
Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
gnutella_signature_found
Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
http_signature_found
Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
irc_signature_found
Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
telnet_signature_found
Type: | event (c: connection , is_orig: bool , len: count ) |
---|
Deprecated. Will be removed.
ssh_signature_found
Type: | event (c: connection , is_orig: bool ) |
---|
Deprecated. Will be removed.
rlogin_signature_found
Type: | event (c: connection , is_orig: bool , num_null: count , len: count ) |
---|
Deprecated. Will be removed.
smtp_signature_found
Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
http_proxy_signature_found
Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
BitTorrent Analyzer
bittorrent_peer_handshake
Type: | event (c: connection , is_orig: bool , reserved: string , info_hash: string , peer_id: string ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_keep_alive
Type: | event (c: connection , is_orig: bool ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_choke
Type: | event (c: connection , is_orig: bool ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_unchoke
Type: | event (c: connection , is_orig: bool ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_interested
Type: | event (c: connection , is_orig: bool ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_not_interested
Type: | event (c: connection , is_orig: bool ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_have
Type: | event (c: connection , is_orig: bool , piece_index: count ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_bitfield
Type: | event (c: connection , is_orig: bool , bitfield: string ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_request
Type: | event (c: connection , is_orig: bool , index: count , begin: count , length: count ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_piece
Type: | event (c: connection , is_orig: bool , index: count , begin: count , piece_length: count ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_cancel
Type: | event (c: connection , is_orig: bool , index: count , begin: count , length: count ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_port
Type: | event (c: connection , is_orig: bool , listen_port: port ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_unknown
Type: | event (c: connection , is_orig: bool , message_id: count , data: string ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_weird
bittorrent_peer_weird
Type: | event (c: connection , is_orig: bool , msg: string ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
bt_tracker_request
Type: | event (c: connection , uri: string , headers: bt_tracker_headers ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bt_tracker_response
Type: | event (c: connection , status: count , headers: bt_tracker_headers , peers: bittorrent_peer_set , benc: bittorrent_benc_dir ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bt_tracker_response_not_ok
Type: | event (c: connection , status: count , headers: bt_tracker_headers ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bt_tracker_weird
Type: | event (c: connection , is_orig: bool , msg: string ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
Connection size analyzer
conn_bytes_threshold_crossed
Type: | event (c: connection , threshold: count , is_orig: bool ) |
---|
Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.
C: | the connection |
---|---|
Threshold: | the threshold that was set |
Is_orig: | true if the threshold was crossed by the originator of the connection |
See also: set_current_conn_packets_threshold
, set_current_conn_bytes_threshold
, conn_packets_threshold_crossed
, get_current_conn_bytes_threshold
, get_current_conn_packets_threshold
conn_packets_threshold_crossed
Type: | event (c: connection , threshold: count , is_orig: bool ) |
---|
Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.
C: | the connection |
---|---|
Threshold: | the threshold that was set |
Is_orig: | true if the threshold was crossed by the originator of the connection |
See also: set_current_conn_packets_threshold
, set_current_conn_bytes_threshold
, conn_bytes_threshold_crossed
, get_current_conn_bytes_threshold
, get_current_conn_packets_threshold
set_current_conn_bytes_threshold
Type: | function (cid: conn_id , threshold: count , is_orig: bool ) : bool |
---|
Sets the current byte threshold for connection sizes, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_bytes_threshold).
Cid: | The connection id. |
---|---|
Threshold: | Threshold in bytes. |
Is_orig: | If true, threshold is set for bytes from originator, otherwhise for bytes from responder. |
See also: set_current_conn_packets_threshold
, conn_bytes_threshold_crossed
, conn_packets_threshold_crossed
, get_current_conn_bytes_threshold
, get_current_conn_packets_threshold
set_current_conn_packets_threshold
Type: | function (cid: conn_id , threshold: count , is_orig: bool ) : bool |
---|
Sets a threshold for connection packets, overwtiting any potential old thresholds. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_packets_threshold).
Cid: | The connection id. |
---|---|
Threshold: | Threshold in packets. |
Is_orig: | If true, threshold is set for packets from originator, otherwhise for packets from responder. |
See also: set_current_conn_bytes_threshold
, conn_bytes_threshold_crossed
, conn_packets_threshold_crossed
, get_current_conn_bytes_threshold
, get_current_conn_packets_threshold
get_current_conn_bytes_threshold
Type: | function (cid: conn_id , is_orig: bool ) : count |
---|
Gets the current byte threshold size for a connection.
Cid: | The connection id. |
---|---|
Is_orig: | If true, threshold of originator, otherwhise threshold of responder. |
Returns: | 0 if no threshold is set or the threshold in bytes |
See also: set_current_conn_packets_threshold
, conn_bytes_threshold_crossed
, conn_packets_threshold_crossed
, get_current_conn_packets_threshold
get_current_conn_packets_threshold
Type: | function (cid: conn_id , is_orig: bool ) : count |
---|
Gets the current packet threshold size for a connection.
Cid: | The connection id. |
---|---|
Is_orig: | If true, threshold of originator, otherwhise threshold of responder. |
Returns: | 0 if no threshold is set or the threshold in packets |
See also: set_current_conn_packets_threshold
, conn_bytes_threshold_crossed
, conn_packets_threshold_crossed
, get_current_conn_bytes_threshold
DCE-RPC analyzer
DCE_RPC::PType
Type: |
|
---|
DCE_RPC::IfID
Type: |
|
---|
dce_rpc_message
Type: | event (c: connection , is_orig: bool , fid: count , ptype_id: count , ptype: DCE_RPC::PType ) |
---|
Generated for every DCE-RPC message.
C: | The connection. |
---|---|
Is_orig: | True if the message was sent by the originator of the TCP connection. |
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
Ptype_id: | Numeric representation of the procedure type of the message. |
Ptype: | Enum representation of the prodecure type of the message. |
See also: dce_rpc_bind
, dce_rpc_bind_ack
, dce_rpc_request
, dce_rpc_response
dce_rpc_bind
Type: | event (c: connection , fid: count , uuid: string , ver_major: count , ver_minor: count ) |
---|
Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
C: | The connection. |
---|---|
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
Uuid: | The string interpretted uuid of the endpoint being requested. |
Ver_major: | The major version of the endpoint being requested. |
Ver_minor: | The minor version of the endpoint being requested. |
See also: dce_rpc_message
, dce_rpc_bind_ack
, dce_rpc_request
, dce_rpc_response
dce_rpc_bind_ack
Type: | event (c: connection , fid: count , sec_addr: string ) |
---|
Generated for every DCE-RPC bind request ack message.
C: | The connection. |
---|---|
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
Sec_addr: | Secondary address for the ack. |
See also: dce_rpc_message
, dce_rpc_bind
, dce_rpc_request
, dce_rpc_response
dce_rpc_request
Type: | event (c: connection , fid: count , opnum: count , stub_len: count ) |
---|
Generated for every DCE-RPC request message.
C: | The connection. |
---|---|
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
Opnum: | Number of the RPC operation. |
Stub_len: | Length of the data for the request. |
See also: dce_rpc_message
, dce_rpc_bind
, dce_rpc_bind_ack
, dce_rpc_response
dce_rpc_response
Type: | event (c: connection , fid: count , opnum: count , stub_len: count ) |
---|
Generated for every DCE-RPC response message.
C: | The connection. |
---|---|
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
Opnum: | Number of the RPC operation. |
Stub_len: | Length of the data for the response. |
See also: dce_rpc_message
, dce_rpc_bind
, dce_rpc_bind_ack
, dce_rpc_request
DHCP analyzer
dhcp_discover
Type: | event (c: connection , msg: dhcp_msg , req_addr: addr , host_name: string ) |
---|
Generated for DHCP messages of type DHCPDISCOVER (client broadcast to locate available servers).
C: | The connection record describing the underlying UDP flow. |
---|---|
Msg: | The parsed type-independent part of the DHCP message. |
Req_addr: | The specific address requested by the client. |
Host_name: | The value of the host name option, if specified by the client. |
See also: dhcp_discover
, dhcp_offer
, dhcp_request
, dhcp_decline
, dhcp_ack
, dhcp_nak
, dhcp_release
, dhcp_inform
Note
Bro does not support broadcast packets (as used by the DHCP protocol). It treats broadcast addresses just like any other and associates packets into transport-level flows in the same way as usual.
dhcp_offer
Type: | event (c: connection , msg: dhcp_msg , mask: addr , router: dhcp_router_list , lease: interval , serv_addr: addr , host_name: string ) |
---|
Generated for DHCP messages of type DHCPOFFER (server to client in response to DHCPDISCOVER with offer of configuration parameters).
C: | The connection record describing the underlying UDP flow. |
---|---|
Msg: | The parsed type-independent part of the DHCP message. |
Mask: | The subnet mask specified by the message. |
Router: | The list of routers specified by the message. |
Lease: | The least interval specified by the message. |
Serv_addr: | The server address specified by the message. |
Host_name: | Optional host name value. May differ from the host name requested from the client. |
See also: dhcp_discover
, dhcp_request
, dhcp_decline
, dhcp_ack
, dhcp_nak
, dhcp_release
, dhcp_inform
Note
Bro does not support broadcast packets (as used by the DHCP protocol). It treats broadcast addresses just like any other and associates packets into transport-level flows in the same way as usual.
dhcp_request
Type: | event (c: connection , msg: dhcp_msg , req_addr: addr , serv_addr: addr , host_name: string ) |
---|
Generated for DHCP messages of type DHCPREQUEST (Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others, (b) confirming correctness of previously allocated address after, e.g., system reboot, or (c) extending the lease on a particular network address.)
C: | The connection record describing the underlying UDP flow. |
---|---|
Msg: | The parsed type-independent part of the DHCP message. |
Req_addr: | The client address specified by the message. |
Serv_addr: | The server address specified by the message. |
Host_name: | The value of the host name option, if specified by the client. |
See also: dhcp_discover
, dhcp_offer
, dhcp_decline
, dhcp_ack
, dhcp_nak
, dhcp_release
, dhcp_inform
Note
Bro does not support broadcast packets (as used by the DHCP protocol). It treats broadcast addresses just like any other and associates packets into transport-level flows in the same way as usual.
dhcp_decline
Type: | event (c: connection , msg: dhcp_msg , host_name: string ) |
---|
Generated for DHCP messages of type DHCPDECLINE (Client to server indicating network address is already in use).
C: | The connection record describing the underlying UDP flow. |
---|---|
Msg: | The parsed type-independent part of the DHCP message. |
Host_name: | Optional host name value. |
See also: dhcp_discover
, dhcp_offer
, dhcp_request
, dhcp_ack
, dhcp_nak
, dhcp_release
, dhcp_inform
Note
Bro does not support broadcast packets (as used by the DHCP protocol). It treats broadcast addresses just like any other and associates packets into transport-level flows in the same way as usual.
dhcp_ack
Type: | event (c: connection , msg: dhcp_msg , mask: addr , router: dhcp_router_list , lease: interval , serv_addr: addr , host_name: string ) |
---|
Generated for DHCP messages of type DHCPACK (Server to client with configuration parameters, including committed network address).
C: | The connection record describing the underlying UDP flow. |
---|---|
Msg: | The parsed type-independent part of the DHCP message. |
Mask: | The subnet mask specified by the message. |
Router: | The list of routers specified by the message. |
Lease: | The least interval specified by the message. |
Serv_addr: | The server address specified by the message. |
Host_name: | Optional host name value. May differ from the host name requested from the client. |
See also: dhcp_discover
, dhcp_offer
, dhcp_request
, dhcp_decline
, dhcp_nak
, dhcp_release
, dhcp_inform
dhcp_nak
Type: | event (c: connection , msg: dhcp_msg , host_name: string ) |
---|
Generated for DHCP messages of type DHCPNAK (Server to client indicating client’s notion of network address is incorrect (e.g., client has moved to new subnet) or client’s lease has expired).
C: | The connection record describing the underlying UDP flow. |
---|---|
Msg: | The parsed type-independent part of the DHCP message. |
Host_name: | Optional host name value. |
See also: dhcp_discover
, dhcp_offer
, dhcp_request
, dhcp_decline
, dhcp_ack
, dhcp_release
, dhcp_inform
Note
Bro does not support broadcast packets (as used by the DHCP protocol). It treats broadcast addresses just like any other and associates packets into transport-level flows in the same way as usual.
dhcp_release
Type: | event (c: connection , msg: dhcp_msg , host_name: string ) |
---|
Generated for DHCP messages of type DHCPRELEASE (Client to server relinquishing network address and cancelling remaining lease).
C: | The connection record describing the underlying UDP flow. |
---|---|
Msg: | The parsed type-independent part of the DHCP message. |
Host_name: | The value of the host name option, if specified by the client. |
See also: dhcp_discover
, dhcp_offer
, dhcp_request
, dhcp_decline
, dhcp_ack
, dhcp_nak
, dhcp_inform
dhcp_inform
Type: | event (c: connection , msg: dhcp_msg , host_name: string ) |
---|
Generated for DHCP messages of type DHCPINFORM (Client to server, asking only for local configuration parameters; client already has externally configured network address).
C: | The connection record describing the underlying UDP flow. |
---|---|
Msg: | The parsed type-independent part of the DHCP message. |
Host_name: | The value of the host name option, if specified by the client. |
See also: dhcp_discover
, dhcp_offer
, dhcp_request
, dhcp_decline
, dhcp_ack
, dhcp_nak
, dhcp_release
Note
Bro does not support broadcast packets (as used by the DHCP protocol). It treats broadcast addresses just like any other and associates packets into transport-level flows in the same way as usual.
DNP3 UDP/TCP analyzers
dnp3_application_request_header
Type: | event (c: connection , is_orig: bool , application: count , fc: count ) |
---|
Generated for a DNP3 request header.
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Fc: | function code. |
dnp3_application_response_header
Type: | event (c: connection , is_orig: bool , application: count , fc: count , iin: count ) |
---|
Generated for a DNP3 response header.
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Fc: | function code. |
Iin: | internal indication number. |
dnp3_object_header
Type: | event (c: connection , is_orig: bool , obj_type: count , qua_field: count , number: count , rf_low: count , rf_high: count ) |
---|
Generated for the object header found in both DNP3 requests and responses.
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Obj_type: | type of object, which is classified based on an 8-bit group number and an 8-bit variation number. |
Qua_field: | qualifier field. |
Number: | TODO. |
Rf_low: | the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values. |
Rf_high: | in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index. |
dnp3_object_prefix
Type: | event (c: connection , is_orig: bool , prefix_value: count ) |
---|
Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Prefix_value: | The prefix. |
dnp3_header_block
Type: | event (c: connection , is_orig: bool , start: count , len: count , ctrl: count , dest_addr: count , src_addr: count ) |
---|
Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Start: | the first two bytes of the DNP3 Pseudo Link Layer; its value is fixed as 0x0564. |
Len: | the “length” field in the DNP3 Pseudo Link Layer. |
Ctrl: | the “control” field in the DNP3 Pseudo Link Layer. |
Dest_addr: | the “destination” field in the DNP3 Pseudo Link Layer. |
Src_addr: | the “source” field in the DNP3 Pseudo Link Layer. |
dnp3_response_data_object
Type: | event (c: connection , is_orig: bool , data_value: count ) |
---|
Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16, or int8; thus we use an additional data_value to record the values of those object data.
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Data_value: | The value for those objects that carry their information here directly. |
dnp3_attribute_common
Type: | event (c: connection , is_orig: bool , data_type_code: count , leng: count , attribute_obj: string ) |
---|
Generated for DNP3 attributes.
dnp3_crob
Type: | event (c: connection , is_orig: bool , control_code: count , count8: count , on_time: count , off_time: count , status_code: count ) |
---|
Generated for DNP3 objects with the group number 12 and variation number 1
CROB: | control relay output block |
---|
dnp3_pcb
Type: | event (c: connection , is_orig: bool , control_code: count , count8: count , on_time: count , off_time: count , status_code: count ) |
---|
Generated for DNP3 objects with the group number 12 and variation number 2
PCB: | Pattern Control Block |
---|
dnp3_counter_32wFlag
Type: | event (c: connection , is_orig: bool , flag: count , count_value: count ) |
---|
Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag
dnp3_counter_16wFlag
Type: | event (c: connection , is_orig: bool , flag: count , count_value: count ) |
---|
Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag
dnp3_counter_32woFlag
Type: | event (c: connection , is_orig: bool , count_value: count ) |
---|
Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag
dnp3_counter_16woFlag
Type: | event (c: connection , is_orig: bool , count_value: count ) |
---|
Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag
dnp3_frozen_counter_32wFlag
Type: | event (c: connection , is_orig: bool , flag: count , count_value: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag
dnp3_frozen_counter_16wFlag
Type: | event (c: connection , is_orig: bool , flag: count , count_value: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag
dnp3_frozen_counter_32wFlagTime
Type: | event (c: connection , is_orig: bool , flag: count , count_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time
dnp3_frozen_counter_16wFlagTime
Type: | event (c: connection , is_orig: bool , flag: count , count_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time
dnp3_frozen_counter_32woFlag
Type: | event (c: connection , is_orig: bool , count_value: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag
dnp3_frozen_counter_16woFlag
Type: | event (c: connection , is_orig: bool , count_value: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag
dnp3_analog_input_32wFlag
Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag
dnp3_analog_input_16wFlag
Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag
dnp3_analog_input_32woFlag
Type: | event (c: connection , is_orig: bool , value: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag
dnp3_analog_input_16woFlag
Type: | event (c: connection , is_orig: bool , value: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag
dnp3_analog_input_SPwFlag
Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag
dnp3_analog_input_DPwFlag
Type: | event (c: connection , is_orig: bool , flag: count , value_low: count , value_high: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag
dnp3_frozen_analog_input_32wFlag
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag
dnp3_frozen_analog_input_16wFlag
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag
dnp3_frozen_analog_input_32wTime
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze
dnp3_frozen_analog_input_16wTime
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze
dnp3_frozen_analog_input_32woFlag
Type: | event (c: connection , is_orig: bool , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag
dnp3_frozen_analog_input_16woFlag
Type: | event (c: connection , is_orig: bool , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag
dnp3_frozen_analog_input_SPwFlag
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag
dnp3_frozen_analog_input_DPwFlag
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value_low: count , frozen_value_high: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag
dnp3_analog_input_event_32woTime
Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time
dnp3_analog_input_event_16woTime
Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time
dnp3_analog_input_event_32wTime
Type: | event (c: connection , is_orig: bool , flag: count , value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time
dnp3_analog_input_event_16wTime
Type: | event (c: connection , is_orig: bool , flag: count , value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time
dnp3_analog_input_event_SPwoTime
Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time
dnp3_analog_input_event_DPwoTime
Type: | event (c: connection , is_orig: bool , flag: count , value_low: count , value_high: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time
dnp3_analog_input_event_SPwTime
Type: | event (c: connection , is_orig: bool , flag: count , value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time
dnp3_analog_input_event_DPwTime
Type: | event (c: connection , is_orig: bool , flag: count , value_low: count , value_high: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precisiion float point with time
dnp3_frozen_analog_input_event_32woTime
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time
dnp3_frozen_analog_input_event_16woTime
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time
dnp3_frozen_analog_input_event_32wTime
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time
dnp3_frozen_analog_input_event_16wTime
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time
dnp3_frozen_analog_input_event_SPwoTime
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time
dnp3_frozen_analog_input_event_DPwoTime
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value_low: count , frozen_value_high: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time
dnp3_frozen_analog_input_event_SPwTime
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time
dnp3_frozen_analog_input_event_DPwTime
Type: | event (c: connection , is_orig: bool , flag: count , frozen_value_low: count , frozen_value_high: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time
dnp3_file_transport
Type: | event (c: connection , is_orig: bool , file_handle: count , block_num: count , file_data: string ) |
---|
g70
dnp3_debug_byte
Type: | event (c: connection , is_orig: bool , debug: string ) |
---|
Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.
DNS analyzer
dns_message
Type: | event (c: connection , is_orig: bool , msg: dns_msg , len: count ) |
---|
Generated for all DNS messages.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Is_orig: | True if the message was sent by the originator of the connection. |
Msg: | The parsed DNS message header. |
Len: | The length of the message’s raw representation (i.e., the DNS payload). |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_request
Type: | event (c: connection , msg: dns_msg , query: string , qtype: count , qclass: count ) |
---|
Generated for DNS requests. For requests with multiple queries, this event is raised once for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Query: | The queried name. |
Qtype: | The queried resource record type. |
Qclass: | The queried resource record class. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_rejected
Type: | event (c: connection , msg: dns_msg , query: string , qtype: count , qclass: count ) |
---|
Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Query: | The queried name. |
Qtype: | The queried resource record type. |
Qclass: | The queried resource record class. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_query_reply
Type: | event (c: connection , msg: dns_msg , query: string , qtype: count , qclass: count ) |
---|
Generated for each entry in the Question section of a DNS reply.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Query: | The queried name. |
Qtype: | The queried resource record type. |
Qclass: | The queried resource record class. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_A_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer , a: addr ) |
---|
Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
A: | The address returned by the reply. |
See also: dns_AAAA_reply
, dns_A6_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_AAAA_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer , a: addr ) |
---|
Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
A: | The address returned by the reply. |
See also: dns_A_reply
, dns_A6_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_A6_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer , a: addr ) |
---|
Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
A: | The address returned by the reply. |
See also: dns_A_reply
, dns_AAAA_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_NS_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer , name: string ) |
---|
Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Name: | The name returned by the reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_CNAME_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer , name: string ) |
---|
Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Name: | The name returned by the reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_PTR_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer , name: string ) |
---|
Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Name: | The name returned by the reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_SOA_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer , soa: dns_soa ) |
---|
Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Soa: | The parsed SOA value. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_WKS_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer ) |
---|
Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_HINFO_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer ) |
---|
Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_MX_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer , name: string , preference: count ) |
---|
Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Name: | The name returned by the reply. |
Preference: | The preference for name specified by the reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_TXT_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer , strs: string_vec ) |
---|
Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Strs: | The textual information returned by the reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_CAA_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer , flags: count , tag: string , value: string ) |
---|
Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Flags: | The flags byte of the CAA reply. |
Tag: | The property identifier of the CAA reply. |
Value: | The property value of the CAA reply. |
dns_SRV_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer , target: string , priority: count , weight: count , p: count ) |
---|
Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Target: | Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot. |
Priority: | Priority of the SRV response – the priority of the target host, lower value means more preferred. |
Weight: | Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred. |
P: | Port of the SRV response – the TCP or UDP port on which the service is to be found. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_unknown_reply
Type: | event (c: connection , msg: dns_msg , ans: dns_answer ) |
---|
Generated on DNS reply resource records when the type of record is not one that Bro knows how to parse and generate another more specific event.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_SRV_reply
, dns_end
dns_EDNS_addl
Type: | event (c: connection , msg: dns_msg , ans: dns_edns_additional ) |
---|
Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The parsed EDNS reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_TSIG_addl
Type: | event (c: connection , msg: dns_msg , ans: dns_tsig_additional ) |
---|
Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The parsed TSIG reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_end
Type: | event (c: connection , msg: dns_msg ) |
---|
Generated at the end of processing a DNS packet. This event is the last
dns_*
event that will be raised for a DNS query/reply and signals that
all resource records have been passed on.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_full_request
Type: | event () |
---|
Deprecated. Will be removed.
Todo
Unclear what this event is for; it’s never raised. We should just remove it.
non_dns_request
Type: | event (c: connection , msg: string ) |
---|---|
Msg: | The raw DNS payload. |
Note
This event is deprecated and superseded by Bro’s dynamic protocol detection framework.
Generic file analyzer
file_transferred
Type: | event (c: connection , prefix: string , descr: string , mime_type: string ) |
---|
Generated when a TCP connection associated w/ file data transfer is seen (e.g. as happens w/ FTP or IRC).
C: | The connection over which file data is transferred. |
---|---|
Prefix: | Up to 1024 bytes of the file data. |
Descr: | Deprecated/unused argument. |
Mime_type: | MIME type of the file or “<unknown>” if no file magic signatures matched. |
Finger analyzer
finger_request
Type: | event (c: connection , full: bool , username: string , hostname: string ) |
---|
Generated for Finger requests.
See Wikipedia for more information about the Finger protocol.
C: | The connection. |
---|---|
Full: | True if verbose information is requested (/W switch). |
Username: | The request’s user name. |
Hostname: | The request’s host name. |
See also: finger_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
finger_reply
Type: | event (c: connection , reply_line: string ) |
---|
Generated for Finger replies.
See Wikipedia for more information about the Finger protocol.
C: | The connection. |
---|---|
Reply_line: | The reply as returned by the server |
See also: finger_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
FTP analyzer
ftp_port
Type: |
---|
A parsed host/port combination describing server endpoint for an upcoming data transfer.
See also: fmt_ftp_port
, parse_eftp_port
, parse_ftp_epsv
, parse_ftp_pasv
, parse_ftp_port
ftp_request
Type: | event (c: connection , command: string , arg: string ) |
---|
Generated for client-side FTP commands.
See Wikipedia for more information about the FTP protocol.
C: | The connection. |
---|---|
Command: | The FTP command issued by the client (without any arguments). |
Arg: | The arguments going with the command. |
See also: ftp_reply
, fmt_ftp_port
, parse_eftp_port
, parse_ftp_epsv
, parse_ftp_pasv
, parse_ftp_port
ftp_reply
Type: | event (c: connection , code: count , msg: string , cont_resp: bool ) |
---|
Generated for server-side FTP replies.
See Wikipedia for more information about the FTP protocol.
C: | The connection. |
---|---|
Code: | The numerical response code the server responded with. |
Msg: | The textual message of the response. |
Cont_resp: | True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further. |
See also: ftp_request
, fmt_ftp_port
, parse_eftp_port
, parse_ftp_epsv
, parse_ftp_pasv
, parse_ftp_port
parse_ftp_port
Type: | function (s: string ) : ftp_port |
---|
Converts a string representation of the FTP PORT command to an
ftp_port
.
S: | The string of the FTP PORT command, e.g., "10,0,0,1,4,31" . |
---|---|
Returns: | The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T] . |
See also: parse_eftp_port
, parse_ftp_pasv
, parse_ftp_epsv
, fmt_ftp_port
parse_eftp_port
Type: | function (s: string ) : ftp_port |
---|
Converts a string representation of the FTP EPRT command (see RFC 2428)
to an ftp_port
. The format is
"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"
,
where <d>
is a delimiter in the ASCII range 33-126 (usually |
).
S: | The string of the FTP EPRT command, e.g., "|1|10.0.0.1|1055|" . |
---|---|
Returns: | The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T] . |
See also: parse_ftp_port
, parse_ftp_pasv
, parse_ftp_epsv
, fmt_ftp_port
parse_ftp_pasv
Type: | function (str: string ) : ftp_port |
---|
Converts the result of the FTP PASV command to an ftp_port
.
Str: | The string containing the result of the FTP PASV command. |
---|---|
Returns: | The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T] . |
See also: parse_ftp_port
, parse_eftp_port
, parse_ftp_epsv
, fmt_ftp_port
parse_ftp_epsv
Type: | function (str: string ) : ftp_port |
---|
Converts the result of the FTP EPSV command (see RFC 2428) to an
ftp_port
. The format is "<text> (<d><d><d><tcp-port><d>)"
,
where <d>
is a delimiter in the ASCII range 33-126 (usually |
).
Str: | The string containing the result of the FTP EPSV command. |
---|---|
Returns: | The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T] . |
See also: parse_ftp_port
, parse_eftp_port
, parse_ftp_pasv
, fmt_ftp_port
fmt_ftp_port
Type: | function (a: addr , p: port ) : string |
---|
Formats an IP address and TCP port as an FTP PORT command. For example,
10.0.0.1
and 1055/tcp
yields "10,0,0,1,4,31"
.
A: | The IP address. |
---|---|
P: | The TCP port. |
Returns: | The FTP PORT string. |
See also: parse_ftp_port
, parse_eftp_port
, parse_ftp_pasv
, parse_ftp_epsv
Gnutella analyzer
gnutella_text_msg
Type: | event (c: connection , orig: bool , headers: string ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_binary_msg
, gnutella_establish
, gnutella_http_notify
, gnutella_not_establish
, gnutella_partial_binary_msg
, gnutella_signature_found
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
gnutella_binary_msg
Type: | event (c: connection , orig: bool , msg_type: count , ttl: count , hops: count , msg_len: count , payload: string , payload_len: count , trunc: bool , complete: bool ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_establish
, gnutella_http_notify
, gnutella_not_establish
, gnutella_partial_binary_msg
, gnutella_signature_found
, gnutella_text_msg
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
gnutella_partial_binary_msg
Type: | event (c: connection , orig: bool , msg: string , len: count ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_binary_msg
, gnutella_establish
, gnutella_http_notify
, gnutella_not_establish
, gnutella_signature_found
, gnutella_text_msg
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
gnutella_establish
Type: | event (c: connection ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_binary_msg
, gnutella_http_notify
, gnutella_not_establish
, gnutella_partial_binary_msg
, gnutella_signature_found
, gnutella_text_msg
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
gnutella_not_establish
Type: | event (c: connection ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_binary_msg
, gnutella_establish
, gnutella_http_notify
, gnutella_partial_binary_msg
, gnutella_signature_found
, gnutella_text_msg
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
gnutella_http_notify
Type: | event (c: connection ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_binary_msg
, gnutella_establish
, gnutella_not_establish
, gnutella_partial_binary_msg
, gnutella_signature_found
, gnutella_text_msg
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
GSSAPI analyzer
gssapi_neg_result
Type: | event (c: connection , state: count ) |
---|
Generated for GSSAPI negotiation results.
C: | The connection. |
---|---|
State: | The resulting state of the negotiation. |
GTPv1 analyzer
gtpv1_message
Type: | event (c: connection , hdr: gtpv1_hdr ) |
---|
Generated for any GTP message with a GTPv1 header.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
gtpv1_g_pdu_packet
Type: | event (outer: connection , inner_gtp: gtpv1_hdr , inner_ip: pkt_hdr ) |
---|
Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.
Outer: | The GTP outer tunnel connection. |
---|---|
Inner_gtp: | The GTP header. |
Inner_ip: | The inner IP and transport layer packet headers. |
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
gtpv1_create_pdp_ctx_request
Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_create_pdp_ctx_request_elements ) |
---|
Generated for GTPv1-C Create PDP Context Request messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
gtpv1_create_pdp_ctx_response
Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_create_pdp_ctx_response_elements ) |
---|
Generated for GTPv1-C Create PDP Context Response messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
gtpv1_update_pdp_ctx_request
Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_update_pdp_ctx_request_elements ) |
---|
Generated for GTPv1-C Update PDP Context Request messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
gtpv1_update_pdp_ctx_response
Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_update_pdp_ctx_response_elements ) |
---|
Generated for GTPv1-C Update PDP Context Response messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
gtpv1_delete_pdp_ctx_request
Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_delete_pdp_ctx_request_elements ) |
---|
Generated for GTPv1-C Delete PDP Context Request messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
gtpv1_delete_pdp_ctx_response
Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_delete_pdp_ctx_response_elements ) |
---|
Generated for GTPv1-C Delete PDP Context Response messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
HTTP analyzer
http_request
Type: | event (c: connection , method: string , original_URI: string , unescaped_URI: string , version: string ) |
---|
Generated for HTTP requests. Bro supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues. This event is generated as soon as a request’s initial line has
been parsed, and before any http_header
events are raised.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Method: | The HTTP method extracted from the request (e.g., GET , POST ). |
Original_URI: | The unprocessed URI as specified in the request. |
Unescaped_URI: | The URI with all percent-encodings decoded. |
Version: | The version number specified in the request (e.g., 1.1 ). |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_stats
, truncate_http_URI
http_reply
Type: | event (c: connection , version: string , code: count , reason: string ) |
---|
Generated for HTTP replies. Bro supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues. This event is generated as soon as a reply’s initial line has
been parsed, and before any http_header
events are raised.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Version: | The version number specified in the reply (e.g., 1.1 ). |
Code: | The numerical response code returned by the server. |
Reason: | The textual description returned by the server along with code. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_request
, http_stats
http_header
Type: | event (c: connection , is_orig: bool , name: string , value: string ) |
---|
Generated for HTTP headers. Bro supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the header was sent by the originator of the TCP connection. |
Name: | The name of the header. |
Value: | The value of the header. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_message_done
, http_reply
, http_request
, http_stats
Note
This event is also raised for headers found in nested body entities.
http_all_headers
Type: | event (c: connection , is_orig: bool , hlist: mime_header_list ) |
---|
Generated for HTTP headers, passing on all headers of an HTTP message at once. Bro supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the header was sent by the originator of the TCP connection. |
Hlist: | A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.). |
See also: http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
Note
This event is also raised for headers found in nested body entities.
http_begin_entity
Type: | event (c: connection , is_orig: bool ) |
---|
Generated when starting to parse an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Bro raises this event just before it starts parsing each entity’s content.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the entity was sent by the originator of the TCP connection. |
See also: http_all_headers
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
, mime_begin_entity
http_end_entity
Type: | event (c: connection , is_orig: bool ) |
---|
Generated when finishing parsing an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Bro raises this event at the point when it has finished parsing an entity’s content.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the entity was sent by the originator of the TCP connection. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
, mime_end_entity
http_entity_data
Type: | event (c: connection , is_orig: bool , length: count , data: string ) |
---|
Generated when parsing an HTTP body entity, passing on the data. This event can potentially be raised many times for each entity, each time passing a chunk of the data of not further defined size.
A common idiom for using this event is to first reassemble the data
at the scripting layer by concatenating it to a successively growing
string; and only perform further content analysis once the corresponding
http_end_entity
event has been raised. Note, however, that doing so
can be quite expensive for HTTP tranders. At the very least, one should
impose an upper size limit on how much data is being buffered.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the entity was sent by the originator of the TCP connection. |
Length: | The length of data. |
Data: | One chunk of raw entity data. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_event
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
, mime_entity_data
, http_entity_data_delivery_size
, skip_http_data
http_content_type
Type: | event (c: connection , is_orig: bool , ty: string , subty: string ) |
---|
Generated for reporting an HTTP body’s content type. This event is
generated at the end of parsing an HTTP header, passing on the MIME
type as specified by the Content-Type
header. If that header is
missing, this event is still raised with a default value of text/plain
.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the entity was sent by the originator of the TCP connection. |
Ty: | The main type. |
Subty: | The subtype. |
See also: http_all_headers
, http_begin_entity
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
Note
This event is also raised for headers found in nested body entities.
http_message_done
Type: | event (c: connection , is_orig: bool , stat: http_message_stat ) |
---|
Generated once at the end of parsing an HTTP message. Bro supports persistent
and pipelined HTTP sessions and raises corresponding events as it parses
client/server dialogues. A “message” is one top-level HTTP entity, such as a
complete request or reply. Each message can have further nested sub-entities
inside. This event is raised once all sub-entities belonging to a top-level
message have been processed (and their corresponding http_entity_*
events
generated).
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the entity was sent by the originator of the TCP connection. |
Stat: | Further meta information about the message. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_reply
, http_request
, http_stats
http_event
Type: | event (c: connection , event_type: string , detail: string ) |
---|
Generated for errors found when decoding HTTP requests or replies.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Event_type: | A string describing the general category of the problem found
(e.g., illegal format ). |
Detail: | Further more detailed description of the error. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
, mime_event
http_stats
Type: | event (c: connection , stats: http_stats_rec ) |
---|
Generated at the end of an HTTP session to report statistics about it. This event is raised after all of an HTTP session’s requests and replies have been fully processed.
C: | The connection. |
---|---|
Stats: | Statistics summarizing HTTP-level properties of the finished connection. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_request
skip_http_entity_data
Type: | function (c: connection , is_orig: bool ) : any |
---|
Skips the data of the HTTP entity.
C: | The HTTP connection. |
---|---|
Is_orig: | If true, the client data is skipped, and the server data otherwise. |
See also: skip_smtp_data
unescape_URI
Type: | function (URI: string ) : string |
---|
Unescapes all characters in a URI (decode every %xx
group).
URI: | The URI to unescape. |
---|---|
Returns: | The unescaped URI with all %xx groups decoded. |
Note
Unescaping reserved characters may cause loss of information. RFC 2396: A URI is always in an “escaped” form, since escaping or unescaping a completed URI might change its semantics. Normally, the only time escape encodings can safely be made is when the URI is being created from its component parts.
ICMP analyzer
icmp_sent
Type: | event (c: connection , icmp: icmp_conn ) |
---|
Generated for all ICMP messages that are not handled separately with dedicated ICMP events. Bro’s ICMP analyzer handles a number of ICMP messages directly with dedicated events. This event acts as a fallback for those it doesn’t.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
See also: icmp_error_message
, icmp_sent_payload
icmp_sent_payload
Type: | event (c: connection , icmp: icmp_conn , payload: string ) |
---|
The same as icmp_sent
except containing the ICMP payload.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Payload: | The payload of the ICMP message. |
See also: icmp_error_message
, icmp_sent_payload
icmp_echo_request
Type: | event (c: connection , icmp: icmp_conn , id: count , seq: count , payload: string ) |
---|
Generated for ICMP echo request messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Id: | The echo request identifier. |
Seq: | The echo request sequence number. |
Payload: | The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header. |
See also: icmp_echo_reply
icmp_echo_reply
Type: | event (c: connection , icmp: icmp_conn , id: count , seq: count , payload: string ) |
---|
Generated for ICMP echo reply messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Id: | The echo reply identifier. |
Seq: | The echo reply sequence number. |
Payload: | The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header. |
See also: icmp_echo_request
icmp_error_message
Type: | event (c: connection , icmp: icmp_conn , code: count , context: icmp_context ) |
---|
Generated for all ICMPv6 error messages that are not handled separately with dedicated events. Bro’s ICMP analyzer handles a number of ICMP error messages directly with dedicated events. This event acts as a fallback for those it doesn’t.
See Wikipedia for more information about the ICMPv6 protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Code: | The ICMP code of the error message. |
Context: | A record with specifics of the original packet that the message refers to. |
See also: icmp_unreachable
, icmp_packet_too_big
, icmp_time_exceeded
, icmp_parameter_problem
icmp_unreachable
Type: | event (c: connection , icmp: icmp_conn , code: count , context: icmp_context ) |
---|
Generated for ICMP destination unreachable messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Code: | The ICMP code of the unreachable message. |
Context: | A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the unreachable includes only a partial IP header for some reason, no fields of context will be filled out. |
See also: icmp_error_message
, icmp_packet_too_big
, icmp_time_exceeded
, icmp_parameter_problem
icmp_packet_too_big
Type: | event (c: connection , icmp: icmp_conn , code: count , context: icmp_context ) |
---|
Generated for ICMPv6 packet too big messages.
See Wikipedia for more information about the ICMPv6 protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Code: | The ICMP code of the too big message. |
Context: | A record with specifics of the original packet that the message refers to. Too big messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the too big includes only a partial IP header for some reason, no fields of context will be filled out. |
See also: icmp_error_message
, icmp_unreachable
, icmp_time_exceeded
, icmp_parameter_problem
icmp_time_exceeded
Type: | event (c: connection , icmp: icmp_conn , code: count , context: icmp_context ) |
---|
Generated for ICMP time exceeded messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Code: | The ICMP code of the exceeded message. |
Context: | A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the exceeded includes only a partial IP header for some reason, no fields of context will be filled out. |
See also: icmp_error_message
, icmp_unreachable
, icmp_packet_too_big
, icmp_parameter_problem
icmp_parameter_problem
Type: | event (c: connection , icmp: icmp_conn , code: count , context: icmp_context ) |
---|
Generated for ICMPv6 parameter problem messages.
See Wikipedia for more information about the ICMPv6 protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Code: | The ICMP code of the parameter problem message. |
Context: | A record with specifics of the original packet that the message refers to. Parameter problem messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the parameter problem includes only a partial IP header for some reason, no fields of context will be filled out. |
See also: icmp_error_message
, icmp_unreachable
, icmp_packet_too_big
, icmp_time_exceeded
icmp_router_solicitation
Type: | event (c: connection , icmp: icmp_conn , options: icmp6_nd_options ) |
---|
Generated for ICMP router solicitation messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Options: | Any Neighbor Discovery options included with message (RFC 4861). |
See also: icmp_router_advertisement
, icmp_neighbor_solicitation
, icmp_neighbor_advertisement
, icmp_redirect
icmp_router_advertisement
Type: | event (c: connection , icmp: icmp_conn , cur_hop_limit: count , managed: bool , other: bool , home_agent: bool , pref: count , proxy: bool , rsv: count , router_lifetime: interval , reachable_time: interval , retrans_timer: interval , options: icmp6_nd_options ) |
---|
Generated for ICMP router advertisement messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Cur_hop_limit: | The default value that should be placed in Hop Count field for outgoing IP packets. |
Managed: | Managed address configuration flag, RFC 4861. |
Other: | Other stateful configuration flag, RFC 4861. |
Home_agent: | Mobile IPv6 home agent flag, RFC 3775. |
Pref: | Router selection preferences, RFC 4191. |
Proxy: | Neighbor discovery proxy flag, RFC 4389. |
Rsv: | Remaining two reserved bits of router advertisement flags. |
Router_lifetime: | |
How long this router should be used as a default router. | |
Reachable_time: | How long a neighbor should be considered reachable. |
Retrans_timer: | How long a host should wait before retransmitting. |
Options: | Any Neighbor Discovery options included with message (RFC 4861). |
See also: icmp_router_solicitation
, icmp_neighbor_solicitation
, icmp_neighbor_advertisement
, icmp_redirect
icmp_neighbor_solicitation
Type: | event (c: connection , icmp: icmp_conn , tgt: addr , options: icmp6_nd_options ) |
---|
Generated for ICMP neighbor solicitation messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Tgt: | The IP address of the target of the solicitation. |
Options: | Any Neighbor Discovery options included with message (RFC 4861). |
See also: icmp_router_solicitation
, icmp_router_advertisement
, icmp_neighbor_advertisement
, icmp_redirect
icmp_neighbor_advertisement
Type: | event (c: connection , icmp: icmp_conn , router: bool , solicited: bool , override: bool , tgt: addr , options: icmp6_nd_options ) |
---|
Generated for ICMP neighbor advertisement messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Router: | Flag indicating the sender is a router. |
Solicited: | Flag indicating advertisement is in response to a solicitation. |
Override: | Flag indicating advertisement should override existing caches. |
Tgt: | the Target Address in the soliciting message or the address whose link-layer address has changed for unsolicited adverts. |
Options: | Any Neighbor Discovery options included with message (RFC 4861). |
See also: icmp_router_solicitation
, icmp_router_advertisement
, icmp_neighbor_solicitation
, icmp_redirect
icmp_redirect
Type: | event (c: connection , icmp: icmp_conn , tgt: addr , dest: addr , options: icmp6_nd_options ) |
---|
Generated for ICMP redirect messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Tgt: | The address that is supposed to be a better first hop to use for ICMP Destination Address. |
Dest: | The address of the destination which is redirected to the target. |
Options: | Any Neighbor Discovery options included with message (RFC 4861). |
See also: icmp_router_solicitation
, icmp_router_advertisement
, icmp_neighbor_solicitation
, icmp_neighbor_advertisement
Ident analyzer
ident_request
Type: | event (c: connection , lport: port , rport: port ) |
---|
Generated for Ident requests.
See Wikipedia for more information about the Ident protocol.
C: | The connection. |
---|---|
Lport: | The request’s local port. |
Rport: | The request’s remote port. |
See also: ident_error
, ident_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
ident_reply
Type: | event (c: connection , lport: port , rport: port , user_id: string , system: string ) |
---|
Generated for Ident replies.
See Wikipedia for more information about the Ident protocol.
C: | The connection. |
---|---|
Lport: | The corresponding request’s local port. |
Rport: | The corresponding request’s remote port. |
User_id: | The user id returned by the reply. |
System: | The operating system returned by the reply. |
See also: ident_error
, ident_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
ident_error
Type: | event (c: connection , lport: port , rport: port , line: string ) |
---|
Generated for Ident error replies.
See Wikipedia for more information about the Ident protocol.
C: | The connection. |
---|---|
Lport: | The corresponding request’s local port. |
Rport: | The corresponding request’s remote port. |
Line: | The error description returned by the reply. |
See also: ident_reply
, ident_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
IMAP analyzer (StartTLS only)
imap_capabilities
Type: | event (c: connection , capabilities: string_vec ) |
---|
Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command.
C: | The connection. |
---|---|
Capabilities: | The list of IMAP capabilities as sent by the server. |
imap_starttls
Type: | event (c: connection ) |
---|
Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server.
C: | The connection. |
---|
InterConn analyzer deprecated
interconn_stats
Type: | event (c: connection , os: interconn_endp_stats , rs: interconn_endp_stats ) |
---|
Deprecated. Will be removed.
interconn_remove_conn
Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
IRC analyzer
irc_request
Type: | event (c: connection , is_orig: bool , prefix: string , command: string , arguments: string ) |
---|
Generated for all client-side IRC commands.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | Always true. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Command: | The command. |
Arguments: | The arguments for the command. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
Note
This event is generated only for messages that originate
at the client-side. Commands coming in from remote trigger
the irc_message
event instead.
irc_reply
Type: | event (c: connection , is_orig: bool , prefix: string , code: count , params: string ) |
---|
Generated for all IRC replies. IRC replies are sent in response to a request and come with a reply code.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the reply. IRC uses the prefix to indicate the true origin of a message. |
Code: | The reply code, as specified by the protocol. |
Params: | The reply’s parameters. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_message
Type: | event (c: connection , is_orig: bool , prefix: string , command: string , message: string ) |
---|
Generated for IRC commands forwarded from the server to the client.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | Always false. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Command: | The command. |
Message: | TODO. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
Note
This event is generated only for messages that are forwarded by the server
to the client. Commands coming from client trigger the
irc_request
event instead.
irc_quit_message
Type: | event (c: connection , is_orig: bool , nick: string , message: string ) |
---|
Generated for IRC messages of type quit. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Nick: | The nickname coming with the message. |
Message: | The text included with the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_privmsg_message
Type: | event (c: connection , is_orig: bool , source: string , target: string , message: string ) |
---|
Generated for IRC messages of type privmsg. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Source: | The source of the private communication. |
Target: | The target of the private communication. |
Message: | The text of communication. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_notice_message
Type: | event (c: connection , is_orig: bool , source: string , target: string , message: string ) |
---|
Generated for IRC messages of type notice. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Source: | The source of the private communication. |
Target: | The target of the private communication. |
Message: | The text of communication. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_squery_message
Type: | event (c: connection , is_orig: bool , source: string , target: string , message: string ) |
---|
Generated for IRC messages of type squery. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Source: | The source of the private communication. |
Target: | The target of the private communication. |
Message: | The text of communication. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_join_message
Type: | event (c: connection , is_orig: bool , info_list: irc_join_list ) |
---|
Generated for IRC messages of type join. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Info_list: | The user information coming with the command. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_part_message
Type: | event (c: connection , is_orig: bool , nick: string , chans: string_set , message: string ) |
---|
Generated for IRC messages of type part. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Nick: | The nickname coming with the message. |
Chans: | The set of channels affected. |
Message: | The text coming with the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_password_message
irc_nick_message
Type: | event (c: connection , is_orig: bool , who: string , newnick: string ) |
---|
Generated for IRC messages of type nick. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Who: | The user changing its nickname. |
Newnick: | The new nickname. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_invalid_nick
Type: | event (c: connection , is_orig: bool ) |
---|
Generated when a server rejects an IRC nickname.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_network_info
Type: | event (c: connection , is_orig: bool , users: count , services: count , servers: count ) |
---|
Generated for an IRC reply of type luserclient.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Users: | The number of users as returned in the reply. |
Services: | The number of services as returned in the reply. |
Servers: | The number of servers as returned in the reply. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_server_info
Type: | event (c: connection , is_orig: bool , users: count , services: count , servers: count ) |
---|
Generated for an IRC reply of type luserme.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Users: | The number of users as returned in the reply. |
Services: | The number of services as returned in the reply. |
Servers: | The number of servers as returned in the reply. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_channel_info
Type: | event (c: connection , is_orig: bool , chans: count ) |
---|
Generated for an IRC reply of type luserchannels.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Chans: | The number of channels as returned in the reply. |
See also: irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_who_line
Type: | event (c: connection , is_orig: bool , target_nick: string , channel: string , user: string , host: string , server: string , nick: string , params: string , hops: count , real_name: string ) |
---|
Generated for an IRC reply of type whoreply.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Target_nick: | The target nickname. |
Channel: | The channel. |
User: | The user. |
Host: | The host. |
Server: | The server. |
Nick: | The nickname. |
Params: | The parameters. |
Hops: | The hop count. |
Real_name: | The real name. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_names_info
Type: | event (c: connection , is_orig: bool , c_type: string , channel: string , users: string_set ) |
---|
Generated for an IRC reply of type namereply.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
C_type: | The channel type. |
Channel: | The channel. |
Users: | The set of users. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_whois_operator_line
Type: | event (c: connection , is_orig: bool , nick: string ) |
---|
Generated for an IRC reply of type whoisoperator.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Nick: | The nickname specified in the reply. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_whois_channel_line
Type: | event (c: connection , is_orig: bool , nick: string , chans: string_set ) |
---|
Generated for an IRC reply of type whoischannels.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Nick: | The nickname specified in the reply. |
Chans: | The set of channels returned. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_whois_user_line
Type: | event (c: connection , is_orig: bool , nick: string , user: string , host: string , real_name: string ) |
---|
Generated for an IRC reply of type whoisuser.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Nick: | The nickname specified in the reply. |
User: | The user name specified in the reply. |
Host: | The host name specified in the reply. |
Real_name: | The real name specified in the reply. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_oper_response
Type: | event (c: connection , is_orig: bool , got_oper: bool ) |
---|
Generated for IRC replies of type youreoper and nooperhost.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Got_oper: | True if the oper command was executed successfully (youreport) and false otherwise (nooperhost). |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_part_message
, irc_password_message
irc_global_users
Type: | event (c: connection , is_orig: bool , prefix: string , msg: string ) |
---|
Generated for an IRC reply of type globalusers.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Msg: | The message coming with the reply. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_channel_topic
Type: | event (c: connection , is_orig: bool , channel: string , topic: string ) |
---|
Generated for an IRC reply of type topic.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Channel: | The channel name specified in the reply. |
Topic: | The topic specified in the reply. |
See also: irc_channel_info
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_who_message
Type: | event (c: connection , is_orig: bool , mask: string , oper: bool ) |
---|
Generated for IRC messages of type who. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Mask: | The mask specified in the message. |
Oper: | True if the operator flag was set. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_whois_message
Type: | event (c: connection , is_orig: bool , server: string , users: string ) |
---|
Generated for IRC messages of type whois. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Server: | TODO. |
Users: | TODO. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_oper_message
Type: | event (c: connection , is_orig: bool , user: string , password: string ) |
---|
Generated for IRC messages of type oper. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
User: | The user specified in the message. |
Password: | The password specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_kick_message
Type: | event (c: connection , is_orig: bool , prefix: string , chans: string , users: string , comment: string ) |
---|
Generated for IRC messages of type kick. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Chans: | The channels specified in the message. |
Users: | The users specified in the message. |
Comment: | The comment specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_error_message
Type: | event (c: connection , is_orig: bool , prefix: string , message: string ) |
---|
Generated for IRC messages of type error. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Message: | The textual description specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_invite_message
Type: | event (c: connection , is_orig: bool , prefix: string , nickname: string , channel: string ) |
---|
Generated for IRC messages of type invite. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Nickname: | The nickname specified in the message. |
Channel: | The channel specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_mode_message
Type: | event (c: connection , is_orig: bool , prefix: string , params: string ) |
---|
Generated for IRC messages of type mode. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Params: | The parameters coming with the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_squit_message
Type: | event (c: connection , is_orig: bool , prefix: string , server: string , message: string ) |
---|
Generated for IRC messages of type squit. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Server: | The server specified in the message. |
Message: | The textual description specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_dcc_message
Type: | event (c: connection , is_orig: bool , prefix: string , target: string , dcc_type: string , argument: string , address: addr , dest_port: count , size: count ) |
---|
Generated for IRC messages of type dcc. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Target: | The target specified in the message. |
Dcc_type: | The DCC type specified in the message. |
Argument: | The argument specified in the message. |
Address: | The address specified in the message. |
Dest_port: | The destination port specified in the message. |
Size: | The size specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_user_message
Type: | event (c: connection , is_orig: bool , user: string , host: string , server: string , real_name: string ) |
---|
Generated for IRC messages of type user. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
User: | The user specified in the message. |
Host: | The host name specified in the message. |
Server: | The server name specified in the message. |
Real_name: | The real name specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_password_message
Type: | event (c: connection , is_orig: bool , password: string ) |
---|
Generated for IRC messages of type password. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Password: | The password specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
irc_starttls
Type: | event (c: connection ) |
---|
Generated if an IRC connection switched to TLS using STARTTLS. After this event no more IRC events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.
C: | The connection. |
---|
Kerberos analyzer
KRB::Error_Msg
Type: |
|
---|
The data from the ERROR_MSG message. See RFC 4120.
KRB::SAFE_Msg
Type: |
|
---|
The data from the SAFE message. See RFC 4120.
KRB::KDC_Options
Type: |
|
---|
KDC Options. See RFC 4120
KRB::AP_Options
Type: |
---|
AP Options. See RFC 4120
KRB::Type_Value
Type: |
---|
Used in a few places in the Kerberos analyzer for elements that have a type and a string value.
KRB::Ticket
Type: |
---|
A Kerberos ticket. See RFC 4120.
KRB::Ticket_Vector
Type: | vector of KRB::Ticket |
---|
KRB::Host_Address
Type: |
---|
A Kerberos host address See RFC 4120.
KRB::KDC_Request
Type: |
|
---|
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
KRB::KDC_Response
Type: |
|
---|
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
krb_as_request
Type: | event (c: connection , msg: KRB::KDC_Request ) |
---|
A Kerberos 5 Authentication Server (AS) Request
as defined
in RFC 4120. The AS request contains a username of the client
requesting authentication, and returns an AS reply with an
encrypted Ticket Granting Ticket (TGT) for that user. The TGT
can then be used to request further tickets for other services.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Msg: | A Kerberos KDC request message data structure. |
See also: krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_as_response
Type: | event (c: connection , msg: KRB::KDC_Response ) |
---|
A Kerberos 5 Authentication Server (AS) Response
as defined
in RFC 4120. Following the AS request for a user, an AS reply
contains an encrypted Ticket Granting Ticket (TGT) for that user.
The TGT can then be used to request further tickets for other services.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Msg: | A Kerberos KDC reply message data structure. |
See also: krb_as_request
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_tgs_request
Type: | event (c: connection , msg: KRB::KDC_Request ) |
---|
A Kerberos 5 Ticket Granting Service (TGS) Request
as defined
in RFC 4120. Following the Authentication Server exchange, if
successful, the client now has a Ticket Granting Ticket (TGT). To
authenticate to a Kerberized service, the client requests a Service
Ticket, which will be returned in the TGS reply.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Msg: | A Kerberos KDC request message data structure. |
See also: krb_as_request
, krb_as_response
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_tgs_response
Type: | event (c: connection , msg: KRB::KDC_Response ) |
---|
A Kerberos 5 Ticket Granting Service (TGS) Response
as defined
in RFC 4120. This message returns a Service Ticket to the client,
which is encrypted with the service’s long-term key, and which the
client can use to authenticate to that service.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Msg: | A Kerberos KDC reply message data structure. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_ap_request
Type: | event (c: connection , ticket: KRB::Ticket , opts: KRB::AP_Options ) |
---|
A Kerberos 5 Authentication Header (AP) Request
as defined
in RFC 4120. This message contains authentication information
that should be part of the first message in an authenticated
transaction.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Ticket: | The Kerberos ticket being used for authentication. |
Opts: | A Kerberos AP options data structure. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_ap_response
Type: | event (c: connection ) |
---|
A Kerberos 5 Authentication Header (AP) Response
as defined
in RFC 4120. This is used if mutual authentication is desired.
All of the interesting information in here is encrypted, so the event
doesn’t have much useful data, but it’s provided in case it’s important
to know that this message was sent.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_priv
Type: | event (c: connection , is_orig: bool ) |
---|
A Kerberos 5 Private Message
as defined in RFC 4120. This
is a private (encrypted) application message, so the event doesn’t
have much useful data, but it’s provided in case it’s important to
know that this message was sent.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Is_orig: | Whether the originator of the connection sent this message. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_safe
, krb_cred
, krb_error
krb_safe
Type: | event (c: connection , is_orig: bool , msg: KRB::SAFE_Msg ) |
---|
A Kerberos 5 Safe Message
as defined in RFC 4120. This is a
safe (checksummed) application message.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Is_orig: | Whether the originator of the connection sent this message. |
Msg: | A Kerberos SAFE message data structure. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_cred
, krb_error
krb_cred
Type: | event (c: connection , is_orig: bool , tickets: KRB::Ticket_Vector ) |
---|
A Kerberos 5 Credential Message
as defined in RFC 4120. This is
a private (encrypted) message to forward credentials.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Is_orig: | Whether the originator of the connection sent this message. |
Tickets: | Tickets obtained from the KDC that are being forwarded. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_error
krb_error
Type: | event (c: connection , msg: KRB::Error_Msg ) |
---|
A Kerberos 5 Error Message
as defined in RFC 4120.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Msg: | A Kerberos error message data structure. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
Telnet/Rsh/Rlogin analyzers
rsh_request
Type: | event (c: connection , client_user: string , server_user: string , line: string , new_session: bool ) |
---|
Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
C: | The connection. |
---|---|
Client_user: | The client-side user name as sent in the initial protocol handshake. |
Server_user: | The server-side user name as sent in the initial protocol handshake. |
Line: | The command line sent in the request. |
New_session: | True if this is the first command of the Rsh session. |
See also: rsh_reply
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Note
For historical reasons, these events are separate from the
login_
events. Ideally, they would all be handled uniquely.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
rsh_reply
Type: | event (c: connection , client_user: string , server_user: string , line: string ) |
---|
Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
C: | The connection. |
---|---|
Client_user: | The client-side user name as sent in the initial protocol handshake. |
Server_user: | The server-side user name as sent in the initial protocol handshake. |
Line: | The command line sent in the request. |
See also: rsh_request
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Note
For historical reasons, these events are separate from the
login_
events. Ideally, they would all be handled uniquely.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
login_failure
Type: | event (c: connection , user: string , client_user: string , password: string , line: string ) |
---|
Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.
C: | The connection. |
---|---|
User: | The user name tried. |
Client_user: | For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts). |
Password: | The password tried. |
Line: | The line of text that led the analyzer to conclude that the authentication had failed. |
See also: login_confused
, login_confused_text
, login_display
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_success
Type: | event (c: connection , user: string , client_user: string , password: string , line: string ) |
---|
Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.
C: | The connection. |
---|---|
User: | The user name used. |
Client_user: | For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts). |
Password: | The password used. |
Line: | The line of text that led the analyzer to conclude that the authentication had succeeded. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_terminal
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_input_line
Type: | event (c: connection , line: string ) |
---|
Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
C: | The connection. |
---|---|
Line: | The input line. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_output_line
, login_prompt
, login_success
, login_terminal
, rsh_request
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_output_line
Type: | event (c: connection , line: string ) |
---|
Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
C: | The connection. |
---|---|
Line: | The ouput line. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_prompt
, login_success
, login_terminal
, rsh_reply
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_confused
Type: | event (c: connection , msg: string , line: string ) |
---|
Generated when tracking of Telnet/Rlogin authentication failed. As Bro’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.
C: | The connection. |
---|---|
Msg: | Gives the particular problem the heuristics detected (for example,
multiple_login_prompts means that the engine saw several login
prompts in a row, without the type-ahead from the client side presumed
necessary to cause them) |
Line: | The line of text that caused the heuristics to conclude they were confused. |
See also: login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_confused_text
Type: | event (c: connection , line: string ) |
---|
Generated after getting confused while tracking a Telnet/Rlogin
authentication dialog. The login analyzer generates this even for every
line of user input after it has reported login_confused
for a
connection.
C: | The connection. |
---|---|
Line: | The line the user typed. |
See also: login_confused
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_terminal
Type: | event (c: connection , terminal: string ) |
---|
Generated for clients transmitting a terminal type in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
C: | The connection. |
---|---|
Terminal: | The TERM value transmitted. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_display
Type: | event (c: connection , display: string ) |
---|
Generated for clients transmitting an X11 DISPLAY in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
C: | The connection. |
---|---|
Display: | The DISPLAY transmitted. |
See also: login_confused
, login_confused_text
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
authentication_accepted
Type: | event (name: string , c: connection ) |
---|
Generated when a Telnet authentication has been successful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it accepts the authentication, then the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
Name: | The authenticated name. |
---|---|
C: | The connection. |
See also: authentication_rejected
, authentication_skipped
, login_success
Note
This event inspects the corresponding Telnet option
while login_success
heuristically determines success by watching
session data.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
authentication_rejected
Type: | event (name: string , c: connection ) |
---|
Generated when a Telnet authentication has been unsuccessful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it did not accept the authentication, then the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
Name: | The attempted authentication name. |
---|---|
C: | The connection. |
See also: authentication_accepted
, authentication_skipped
, login_failure
Note
This event inspects the corresponding Telnet option
while login_success
heuristically determines failure by watching
session data.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
authentication_skipped
Type: | event (c: connection ) |
---|
Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|
See also: authentication_accepted
, authentication_rejected
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying activity. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_prompt
Type: | event (c: connection , prompt: string ) |
---|
Generated for clients transmitting a terminal prompt in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|---|
Prompt: | The TTYPROMPT transmitted. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_success
, login_terminal
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
activating_encryption
Type: | event (c: connection ) |
---|
Generated for Telnet sessions when encryption is activated. The Telnet protocol includes options for negotiating encryption. When such a series of options is successfully negotiated, the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|
See also: authentication_accepted
, authentication_rejected
, authentication_skipped
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
inconsistent_option
Type: | event (c: connection ) |
---|
Generated for an inconsistent Telnet option. Telnet options are specified by the client and server stating which options they are willing to support vs. which they are not, and then instructing one another which in fact they should or should not use for the current connection. If the event engine sees a peer violate either what the other peer has instructed it to do, or what it itself offered in terms of options in the past, then the engine generates this event.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|
See also: bad_option
, bad_option_termination
, authentication_accepted
, authentication_rejected
, authentication_skipped
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
bad_option
Type: | event (c: connection ) |
---|
Generated for an ill-formed or unrecognized Telnet option.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|
See also: inconsistent_option
, bad_option_termination
, authentication_accepted
, authentication_rejected
, authentication_skipped
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
bad_option_termination
Type: | event (c: connection ) |
---|
Generated for a Telnet option that’s incorrectly terminated.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|
See also: inconsistent_option
, bad_option
, authentication_accepted
, authentication_rejected
, authentication_skipped
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
get_login_state
Type: | function (cid: conn_id ) : count |
---|
Returns the state of the given login (Telnet or Rlogin) connection.
Cid: | The connection ID. |
---|---|
Returns: | False if the connection is not active or is not tagged as a login analyzer. Otherwise the function returns the state, which can be one of:
|
See also: set_login_state
set_login_state
Type: | function (cid: conn_id , new_state: count ) : bool |
---|
Sets the login state of a connection with a login analyzer.
Cid: | The connection ID. |
---|---|
New_state: | The new state of the login analyzer. See
get_login_state for possible values. |
Returns: | Returns false if cid is not an active connection or is not tagged as a login analyzer, and true otherwise. |
See also: get_login_state
MIME parsing
mime_begin_entity
Type: | event (c: connection ) |
---|
Generated when starting to parse an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Bro raises this event when it begins parsing a MIME entity extracted from an email protocol.
Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
C: | The connection. |
---|
See also: mime_all_data
, mime_all_headers
, mime_content_hash
, mime_end_entity
, mime_entity_data
, mime_event
, mime_one_header
, mime_segment_data
, smtp_data
, http_begin_entity
Note
Bro also extracts MIME entities from HTTP sessions. For those,
however, it raises http_begin_entity
instead.
mime_end_entity
Type: | event (c: connection ) |
---|
Generated when finishing parsing an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Bro raises this event when it finished parsing a MIME entity extracted from an email protocol.
Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
C: | The connection. |
---|
See also: mime_all_data
, mime_all_headers
, mime_begin_entity
, mime_content_hash
, mime_entity_data
, mime_event
, mime_one_header
, mime_segment_data
, smtp_data
, http_end_entity
Note
Bro also extracts MIME entities from HTTP sessions. For those,
however, it raises http_end_entity
instead.
mime_one_header
Type: | event (c: connection , h: mime_header_rec ) |
---|
Generated for individual MIME headers extracted from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.
Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
C: | The connection. |
---|---|
H: | The parsed MIME header. |
See also: mime_all_data
, mime_all_headers
, mime_begin_entity
, mime_content_hash
, mime_end_entity
, mime_entity_data
, mime_event
, mime_segment_data
, http_header
, http_all_headers
Note
Bro also extracts MIME headers from HTTP sessions. For those,
however, it raises http_header
instead.
mime_all_headers
Type: | event (c: connection , hlist: mime_header_list ) |
---|
Generated for MIME headers extracted from email MIME entities, passing all headers at once. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.
Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
C: | The connection. |
---|---|
Hlist: | A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.). |
See also: mime_all_data
, mime_begin_entity
, mime_content_hash
, mime_end_entity
, mime_entity_data
, mime_event
, mime_one_header
, mime_segment_data
, http_header
, http_all_headers
Note
Bro also extracts MIME headers from HTTP sessions. For those,
however, it raises http_header
instead.
mime_segment_data
Type: | event (c: connection , length: count , data: string ) |
---|
Generated for chunks of decoded MIME data from email MIME entities. MIME
is a protocol-independent data format for encoding text and files, along with
corresponding metadata, for transmission. As Bro parses the data of an
entity, it raises a sequence of these events, each coming as soon as a new
chunk of data is available. In contrast, there is also
mime_entity_data
, which passes all of an entities data at once
in a single block. While the latter is more convenient to handle,
mime_segment_data
is more efficient as Bro does not need to buffer
the data. Thus, if possible, this event should be preferred.
Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
C: | The connection. |
---|---|
Length: | The length of data. |
Data: | The raw data of one segment of the current entity. |
See also: mime_all_data
, mime_all_headers
, mime_begin_entity
, mime_content_hash
, mime_end_entity
, mime_entity_data
, mime_event
, mime_one_header
, http_entity_data
, mime_segment_length
, mime_segment_overlap_length
Note
Bro also extracts MIME data from HTTP sessions. For those,
however, it raises http_entity_data
(sic!) instead.
mime_entity_data
Type: | event (c: connection , length: count , data: string ) |
---|
Generated for data decoded from an email MIME entity. This event delivers
the complete content of a single MIME entity with the quoted-printable and
and base64 data decoded. In contrast, there is also mime_segment_data
,
which passes on a sequence of data chunks as they come in. While
mime_entity_data
is more convenient to handle, mime_segment_data
is
more efficient as Bro does not need to buffer the data. Thus, if possible,
the latter should be preferred.
Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
C: | The connection. |
---|---|
Length: | The length of data. |
Data: | The raw data of the complete entity. |
See also: mime_all_data
, mime_all_headers
, mime_begin_entity
, mime_content_hash
, mime_end_entity
, mime_event
, mime_one_header
, mime_segment_data
Note
While Bro also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.
mime_all_data
Type: | event (c: connection , length: count , data: string ) |
---|
Generated for passing on all data decoded from a single email MIME message. If an email message has more than one MIME entity, this event combines all their data into a single value for analysis. Note that because of the potentially significant buffering necessary, using this event can be expensive.
Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
C: | The connection. |
---|---|
Length: | The length of data. |
Data: | The raw data of all MIME entities concatenated. |
See also: mime_all_headers
, mime_begin_entity
, mime_content_hash
, mime_end_entity
, mime_entity_data
, mime_event
, mime_one_header
, mime_segment_data
Note
While Bro also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.
mime_event
Type: | event (c: connection , event_type: string , detail: string ) |
---|
Generated for errors found when decoding email MIME entities.
Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
C: | The connection. |
---|---|
Event_type: | A string describing the general category of the problem found
(e.g., illegal format ). |
Detail: | Further more detailed description of the error. |
See also: mime_all_data
, mime_all_headers
, mime_begin_entity
, mime_content_hash
, mime_end_entity
, mime_entity_data
, mime_one_header
, mime_segment_data
, http_event
Note
Bro also extracts MIME headers from HTTP sessions. For those,
however, it raises http_event
instead.
mime_content_hash
Type: | event (c: connection , content_len: count , hash_value: string ) |
---|
Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums. Bro computes the MD5 over the complete decoded data of each MIME entity.
Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
C: | The connection. |
---|---|
Content_len: | The length of the entity being hashed. |
Hash_value: | The MD5 hash. |
See also: mime_all_data
, mime_all_headers
, mime_begin_entity
, mime_end_entity
, mime_entity_data
, mime_event
, mime_one_header
, mime_segment_data
Note
While Bro also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.
Modbus analyzer
modbus_message
Type: | event (c: connection , headers: ModbusHeaders , is_orig: bool ) |
---|
Generated for any Modbus message regardless if the particular function is further supported or not.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Is_orig: | True if the event is raised for the originator side. |
modbus_exception
Type: | event (c: connection , headers: ModbusHeaders , code: count ) |
---|
Generated for any Modbus exception message.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Code: | The exception code. |
modbus_read_coils_request
Type: | event (c: connection , headers: ModbusHeaders , start_address: count , quantity: count ) |
---|
Generated for a Modbus read coils request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Start_address: | The memory address of the first coil to be read. |
Quantity: | The number of coils to be read. |
modbus_read_coils_response
Type: | event (c: connection , headers: ModbusHeaders , coils: ModbusCoils ) |
---|
Generated for a Modbus read coils response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Coils: | The coil values returned from the device. |
modbus_read_discrete_inputs_request
Type: | event (c: connection , headers: ModbusHeaders , start_address: count , quantity: count ) |
---|
Generated for a Modbus read discrete inputs request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Start_address: | The memory address of the first coil to be read. |
Quantity: | The number of coils to be read. |
modbus_read_discrete_inputs_response
Type: | event (c: connection , headers: ModbusHeaders , coils: ModbusCoils ) |
---|
Generated for a Modbus read discrete inputs response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Coils: | The coil values returned from the device. |
modbus_read_holding_registers_request
Type: | event (c: connection , headers: ModbusHeaders , start_address: count , quantity: count ) |
---|
Generated for a Modbus read holding registers request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Start_address: | The memory address of the first register to be read. |
Quantity: | The number of registers to be read. |
modbus_read_holding_registers_response
Type: | event (c: connection , headers: ModbusHeaders , registers: ModbusRegisters ) |
---|
Generated for a Modbus read holding registers response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Registers: | The register values returned from the device. |
modbus_read_input_registers_request
Type: | event (c: connection , headers: ModbusHeaders , start_address: count , quantity: count ) |
---|
Generated for a Modbus read input registers request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Start_address: | The memory address of the first register to be read. |
Quantity: | The number of registers to be read. |
modbus_read_input_registers_response
Type: | event (c: connection , headers: ModbusHeaders , registers: ModbusRegisters ) |
---|
Generated for a Modbus read input registers response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Registers: | The register values returned from the device. |
modbus_write_single_coil_request
Type: | event (c: connection , headers: ModbusHeaders , address: count , value: bool ) |
---|
Generated for a Modbus write single coil request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Address: | The memory address of the coil to be written. |
Value: | The value to be written to the coil. |
modbus_write_single_coil_response
Type: | event (c: connection , headers: ModbusHeaders , address: count , value: bool ) |
---|
Generated for a Modbus write single coil response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Address: | The memory address of the coil that was written. |
Value: | The value that was written to the coil. |
modbus_write_single_register_request
Type: | event (c: connection , headers: ModbusHeaders , address: count , value: count ) |
---|
Generated for a Modbus write single register request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Address: | The memory address of the register to be written. |
Value: | The value to be written to the register. |
modbus_write_single_register_response
Type: | event (c: connection , headers: ModbusHeaders , address: count , value: count ) |
---|
Generated for a Modbus write single register response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Address: | The memory address of the register that was written. |
Value: | The value that was written to the register. |
modbus_write_multiple_coils_request
Type: | event (c: connection , headers: ModbusHeaders , start_address: count , coils: ModbusCoils ) |
---|
Generated for a Modbus write multiple coils request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Start_address: | The memory address of the first coil to be written. |
Coils: | The values to be written to the coils. |
modbus_write_multiple_coils_response
Type: | event (c: connection , headers: ModbusHeaders , start_address: count , quantity: count ) |
---|
Generated for a Modbus write multiple coils response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Start_address: | The memory address of the first coil that was written. |
Quantity: | The quantity of coils that were written. |
modbus_write_multiple_registers_request
Type: | event (c: connection , headers: ModbusHeaders , start_address: count , registers: ModbusRegisters ) |
---|
Generated for a Modbus write multiple registers request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Start_address: | The memory address of the first register to be written. |
Registers: | The values to be written to the registers. |
modbus_write_multiple_registers_response
Type: | event (c: connection , headers: ModbusHeaders , start_address: count , quantity: count ) |
---|
Generated for a Modbus write multiple registers response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Start_address: | The memory address of the first register that was written. |
Quantity: | The quantity of registers that were written. |
modbus_read_file_record_request
Type: | event (c: connection , headers: ModbusHeaders ) |
---|
Generated for a Modbus read file record request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
modbus_read_file_record_response
Type: | event (c: connection , headers: ModbusHeaders ) |
---|
Generated for a Modbus read file record response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
modbus_write_file_record_request
Type: | event (c: connection , headers: ModbusHeaders ) |
---|
Generated for a Modbus write file record request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
modbus_write_file_record_response
Type: | event (c: connection , headers: ModbusHeaders ) |
---|
Generated for a Modbus write file record response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
modbus_mask_write_register_request
Type: | event (c: connection , headers: ModbusHeaders , address: count , and_mask: count , or_mask: count ) |
---|
Generated for a Modbus mask write register request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Address: | The memory address of the register where the masks should be applied. |
And_mask: | The value of the logical AND mask to apply to the register. |
Or_mask: | The value of the logical OR mask to apply to the register. |
modbus_mask_write_register_response
Type: | event (c: connection , headers: ModbusHeaders , address: count , and_mask: count , or_mask: count ) |
---|
Generated for a Modbus mask write register request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Address: | The memory address of the register where the masks were applied. |
And_mask: | The value of the logical AND mask applied register. |
Or_mask: | The value of the logical OR mask applied to the register. |
modbus_read_write_multiple_registers_request
Type: | event (c: connection , headers: ModbusHeaders , read_start_address: count , read_quantity: count , write_start_address: count , write_registers: ModbusRegisters ) |
---|
Generated for a Modbus read/write multiple registers request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Read_start_address: | |
The memory address of the first register to be read. | |
Read_quantity: | The number of registers to read. |
Write_start_address: | |
The memory address of the first register to be written. | |
Write_registers: | |
The values to be written to the registers. |
modbus_read_write_multiple_registers_response
Type: | event (c: connection , headers: ModbusHeaders , written_registers: ModbusRegisters ) |
---|
Generated for a Modbus read/write multiple registers response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Written_registers: | |
The register values read from the registers specified in the request. |
modbus_read_fifo_queue_request
Type: | event (c: connection , headers: ModbusHeaders , start_address: count ) |
---|
Generated for a Modbus read FIFO queue request.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Start_address: | The address of the FIFO queue to read. |
modbus_read_fifo_queue_response
Type: | event (c: connection , headers: ModbusHeaders , fifos: ModbusRegisters ) |
---|
Generated for a Modbus read FIFO queue response.
C: | The connection. |
---|---|
Headers: | The headers for the modbus function. |
Fifos: | The register values read from the FIFO queue on the device. |
MySQL analyzer
mysql_command_request
Type: | event (c: connection , command: count , arg: string ) |
---|
Generated for a command request from a MySQL client.
See the MySQL documentation for more information about the MySQL protocol.
C: | The connection. |
---|---|
Command: | The numerical code of the command issued. |
Arg: | The argument for the command (empty string if not provided). |
See also: mysql_error
, mysql_ok
, mysql_server_version
, mysql_handshake
mysql_error
Type: | event (c: connection , code: count , msg: string ) |
---|
Generated for an unsuccessful MySQL response.
See the MySQL documentation for more information about the MySQL protocol.
C: | The connection. |
---|---|
Code: | The error code. |
Msg: | Any extra details about the error (empty string if not provided). |
See also: mysql_command_request
, mysql_ok
, mysql_server_version
, mysql_handshake
mysql_ok
Type: | event (c: connection , affected_rows: count ) |
---|
Generated for a successful MySQL response.
See the MySQL documentation for more information about the MySQL protocol.
C: | The connection. |
---|---|
Affected_rows: | The number of rows that were affected. |
See also: mysql_command_request
, mysql_error
, mysql_server_version
, mysql_handshake
mysql_result_row
Type: | event (c: connection , row: string_vec ) |
---|
Generated for each MySQL ResultsetRow response packet.
See the MySQL documentation for more information about the MySQL protocol.
C: | The connection. |
---|---|
Row: | The result row data. |
See also: mysql_command_request
, mysql_error
, mysql_server_version
, mysql_handshake
, mysql_ok
mysql_server_version
Type: | event (c: connection , ver: string ) |
---|
Generated for the initial server handshake packet, which includes the MySQL server version.
See the MySQL documentation for more information about the MySQL protocol.
C: | The connection. |
---|---|
Ver: | The server version string. |
See also: mysql_command_request
, mysql_error
, mysql_ok
, mysql_handshake
mysql_handshake
Type: | event (c: connection , username: string ) |
---|
Generated for a client handshake response packet, which includes the username the client is attempting to connect as.
See the MySQL documentation for more information about the MySQL protocol.
C: | The connection. |
---|---|
Username: | The username supplied by the client |
See also: mysql_command_request
, mysql_error
, mysql_ok
, mysql_server_version
NCP analyzer
ncp_request
Type: | event (c: connection , frame_type: count , length: count , func: count ) |
---|
Generated for NCP requests (Netware Core Protocol).
See Wikipedia for more information about the NCP protocol.
C: | The connection. |
---|---|
Frame_type: | The frame type, as specified by the protocol. |
Length: | The length of the request body, excluding the frame header. |
Func: | The requested function, as specified by the protocol. |
See also: ncp_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
ncp_reply
Type: | event (c: connection , frame_type: count , length: count , req_frame: count , req_func: count , completion_code: count ) |
---|
Generated for NCP replies (Netware Core Protocol).
See Wikipedia for more information about the NCP protocol.
C: | The connection. |
---|---|
Frame_type: | The frame type, as specified by the protocol. |
Length: | The length of the request body, excluding the frame header. |
Req_frame: | The frame type from the corresponding request. |
Req_func: | The function code from the corresponding request. |
Completion_code: | |
The reply’s completion code, as specified by the protocol. |
See also: ncp_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
NetBIOS analyzer support
netbios_session_message
Type: | event (c: connection , is_orig: bool , msg_type: count , data_len: count ) |
---|
Generated for all NetBIOS SSN and DGM messages. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.
C: | The connection, which may be TCP or UDP, depending on the type of the NetBIOS session. |
---|---|
Is_orig: | True if the message was sent by the originator of the connection. |
Msg_type: | The general type of message, as defined in Section 4.3.1 of RFC 1002. |
Data_len: | The length of the message’s payload. |
See also: netbios_session_accepted
, netbios_session_keepalive
, netbios_session_raw_message
, netbios_session_rejected
, netbios_session_request
, netbios_session_ret_arg_resp
, decode_netbios_name
, decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
netbios_session_request
Type: | event (c: connection , msg: string ) |
---|
Generated for NetBIOS messages of type session request. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.
C: | The connection, which may be TCP or UDP, depending on the type of the NetBIOS session. |
---|---|
Msg: | The raw payload of the message sent, excluding the common NetBIOS header. |
See also: netbios_session_accepted
, netbios_session_keepalive
, netbios_session_message
, netbios_session_raw_message
, netbios_session_rejected
, netbios_session_ret_arg_resp
, decode_netbios_name
, decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
netbios_session_accepted
Type: | event (c: connection , msg: string ) |
---|
Generated for NetBIOS messages of type positive session response. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.
C: | The connection, which may be TCP or UDP, depending on the type of the NetBIOS session. |
---|---|
Msg: | The raw payload of the message sent, excluding the common NetBIOS header. |
See also: netbios_session_keepalive
, netbios_session_message
, netbios_session_raw_message
, netbios_session_rejected
, netbios_session_request
, netbios_session_ret_arg_resp
, decode_netbios_name
, decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
netbios_session_rejected
Type: | event (c: connection , msg: string ) |
---|
Generated for NetBIOS messages of type negative session response. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.
C: | The connection, which may be TCP or UDP, depending on the type of the NetBIOS session. |
---|---|
Msg: | The raw payload of the message sent, excluding the common NetBIOS header. |
See also: netbios_session_accepted
, netbios_session_keepalive
, netbios_session_message
, netbios_session_raw_message
, netbios_session_request
, netbios_session_ret_arg_resp
, decode_netbios_name
, decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
netbios_session_raw_message
Type: | event (c: connection , is_orig: bool , msg: string ) |
---|
Generated for NetBIOS messages of type session message that are not carrying an SMB payload.
NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.
C: | The connection, which may be TCP or UDP, depending on the type of the NetBIOS session. |
---|---|
Is_orig: | True if the message was sent by the originator of the connection. |
Msg: | The raw payload of the message sent, excluding the common NetBIOS
header (i.e., the user_data ). |
See also: netbios_session_accepted
, netbios_session_keepalive
, netbios_session_message
, netbios_session_rejected
, netbios_session_request
, netbios_session_ret_arg_resp
, decode_netbios_name
, decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
This is an oddly named event. In fact, it’s probably an odd event to have to begin with.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
netbios_session_ret_arg_resp
Type: | event (c: connection , msg: string ) |
---|
Generated for NetBIOS messages of type retarget response. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.
C: | The connection, which may be TCP or UDP, depending on the type of the NetBIOS session. |
---|---|
Msg: | The raw payload of the message sent, excluding the common NetBIOS header. |
See also: netbios_session_accepted
, netbios_session_keepalive
, netbios_session_message
, netbios_session_raw_message
, netbios_session_rejected
, netbios_session_request
, decode_netbios_name
, decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
This is an oddly named event.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
netbios_session_keepalive
Type: | event (c: connection , msg: string ) |
---|
Generated for NetBIOS messages of type keep-alive. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.
C: | The connection, which may be TCP or UDP, depending on the type of the NetBIOS session. |
---|---|
Msg: | The raw payload of the message sent, excluding the common NetBIOS header. |
See also: netbios_session_accepted
, netbios_session_message
, netbios_session_raw_message
, netbios_session_rejected
, netbios_session_request
, netbios_session_ret_arg_resp
, decode_netbios_name
, decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
decode_netbios_name
Type: | function (name: string ) : string |
---|
Decode a NetBIOS name. See http://support.microsoft.com/kb/194203.
Name: | The encoded NetBIOS name, e.g., "FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF" . |
---|---|
Returns: | The decoded NetBIOS name, e.g., "THE NETBIOS NAME" . |
See also: decode_netbios_name_type
decode_netbios_name_type
Type: | function (name: string ) : count |
---|
Converts a NetBIOS name type to its corresponding numeric value. See http://support.microsoft.com/kb/163409.
Name: | The NetBIOS name type. |
---|---|
Returns: | The numeric value of name. |
See also: decode_netbios_name
NTLM analyzer
NTLM::Negotiate
Type: |
|
---|
NTLM::Challenge
Type: |
|
---|
NTLM::Authenticate
Type: |
|
---|
NTLM::NegotiateFlags
Type: |
|
---|
NTLM::Version
Type: |
---|
NTLM::AVs
Type: |
|
---|
ntlm_negotiate
Type: | event (c: connection , negotiate: NTLM::Negotiate ) |
---|
Generated for NTLM messages of type negotiate.
C: | The connection. |
---|---|
Negotiate: | The parsed data of the NTLM message. See init-bare for more details. |
See also: ntlm_challenge
, ntlm_authenticate
ntlm_challenge
Type: | event (c: connection , challenge: NTLM::Challenge ) |
---|
Generated for NTLM messages of type challenge.
C: | The connection. |
---|---|
Negotiate: | The parsed data of the NTLM message. See init-bare for more details. |
See also: ntlm_negotiate
, ntlm_authenticate
ntlm_authenticate
Type: | event (c: connection , request: NTLM::Authenticate ) |
---|
Generated for NTLM messages of type authenticate.
C: | The connection. |
---|---|
Request: | The parsed data of the NTLM message. See init-bare for more details. |
See also: ntlm_negotiate
, ntlm_challenge
NTP analyzer
ntp_message
Type: | event (u: connection , msg: ntp_msg , excess: string ) |
---|
Generated for all NTP messages. Different from many other of Bro’s events, this one is generated for both client-side and server-side messages.
See Wikipedia for more information about the NTP protocol.
U: | The connection record describing the corresponding UDP flow. |
---|---|
Msg: | The parsed NTP message. |
Excess: | The raw bytes of any optional parts of the NTP packet. Bro does not further parse any optional fields. |
See also: ntp_session_timeout
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Analyzers implementing Dynamic Protocol
POP3 analyzer
pop3_request
Type: | event (c: connection , is_orig: bool , command: string , arg: string ) |
---|
Generated for client-side commands on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Command: | The command sent. |
Arg: | The argument to the command. |
See also: pop3_data
, pop3_login_failure
, pop3_login_success
, pop3_reply
, pop3_unexpected
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_reply
Type: | event (c: connection , is_orig: bool , cmd: string , msg: string ) |
---|
Generated for server-side replies to commands on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Cmd: | The success indicator sent by the server. This corresponds to the
first token on the line sent, and should be either OK or ERR . |
Msg: | The textual description the server sent along with cmd. |
See also: pop3_data
, pop3_login_failure
, pop3_login_success
, pop3_request
, pop3_unexpected
Todo
This event is receiving odd parameters, should unify.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_data
Type: | event (c: connection , is_orig: bool , data: string ) |
---|
Generated for server-side multi-line responses on POP3 connections. POP3 connections use multi-line responses to send bulk data, such as the actual mails. This event is generated once for each line that’s part of such a response.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | True if the data was sent by the originator of the TCP connection. |
Data: | The data sent. |
See also: pop3_login_failure
, pop3_login_success
, pop3_reply
, pop3_request
, pop3_unexpected
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_unexpected
Type: | event (c: connection , is_orig: bool , msg: string , detail: string ) |
---|
Generated for errors encountered on POP3 sessions. If the POP3 analyzer finds state transitions that do not conform to the protocol specification, or other situations it can’t handle, it raises this event.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | True if the data was sent by the originator of the TCP connection. |
Msg: | A textual description of the situation. |
Detail: | The input that triggered the event. |
See also: pop3_data
, pop3_login_failure
, pop3_login_success
, pop3_reply
, pop3_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_starttls
Type: | event (c: connection ) |
---|
Generated when a POP3 connection goes encrypted. While POP3 is by default a clear-text protocol, extensions exist to switch to encryption. This event is generated if that happens and the analyzer then stops processing the connection.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|
See also: pop3_data
, pop3_login_failure
, pop3_login_success
, pop3_reply
, pop3_request
, pop3_unexpected
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_login_success
Type: | event (c: connection , is_orig: bool , user: string , password: string ) |
---|
Generated for successful authentications on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | Always false. |
User: | The user name used for authentication. The event is only generated if a non-empty user name was used. |
Password: | The password used for authentication. |
See also: pop3_data
, pop3_login_failure
, pop3_reply
, pop3_request
, pop3_unexpected
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_login_failure
Type: | event (c: connection , is_orig: bool , user: string , password: string ) |
---|
Generated for unsuccessful authentications on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | Always false. |
User: | The user name attempted for authentication. The event is only generated if a non-empty user name was used. |
Password: | The password attempted for authentication. |
See also: pop3_data
, pop3_login_success
, pop3_reply
, pop3_request
, pop3_unexpected
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
RADIUS analyzer
RADIUS::Attributes
Type: | table [count ] of RADIUS::AttributeList |
---|
radius_message
Type: | event (c: connection , result: RADIUS::Message ) |
---|
Generated for RADIUS messages.
See Wikipedia for more information about RADIUS.
C: | The connection. |
---|---|
Result: | A record containing fields parsed from a RADIUS packet. |
radius_attribute
Type: | event (c: connection , attr_type: count , value: string ) |
---|
Generated for each RADIUS attribute.
See Wikipedia for more information about RADIUS.
C: | The connection. |
---|---|
Attr_type: | The value of the code field (1 == User-Name, 2 == User-Password, etc.). |
Value: | The data/value bound to the attribute. |
RDP analyzer
RDP::EarlyCapabilityFlags
Type: |
support_err_info_pdu: want_32bpp_session: support_statusinfo_pdu: strong_asymmetric_keys: support_monitor_layout_pdu: support_netchar_autodetect: support_dynvc_gfx_protocol: support_dynamic_time_zone: support_heartbeat_pdu: |
---|
RDP::ClientCoreData
Type: |
version_major: version_minor: desktop_width: desktop_height: color_depth: sas_sequence: keyboard_layout: client_build: client_name: keyboard_type: keyboard_sub: keyboard_function_key: ime_file_name: post_beta2_color_depth: client_product_id: serial_number: high_color_depth: supported_color_depths: ec_flags: |
---|
rdp_connect_request
Type: | event (c: connection , cookie: string ) |
---|
Generated for X.224 client requests.
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Cookie: | The cookie included in the request. |
rdp_negotiation_response
Type: | event (c: connection , security_protocol: count ) |
---|
Generated for RDP Negotiation Response messages.
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Security_protocol: | |
The security protocol selected by the server. |
rdp_negotiation_failure
Type: | event (c: connection , failure_code: count ) |
---|
Generated for RDP Negotiation Failure messages.
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Failure_code: | The failure code sent by the server. |
rdp_client_core_data
Type: | event (c: connection , data: RDP::ClientCoreData ) |
---|
Generated for MCS client requests.
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Data: | The data contained in the client core data structure. |
rdp_gcc_server_create_response
Type: | event (c: connection , result: count ) |
---|
Generated for MCS server responses.
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Result: | The 8-bit integer representing the GCC Conference Create Response result. |
rdp_server_security
Type: | event (c: connection , encryption_method: count , encryption_level: count ) |
---|
Generated for MCS server responses.
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Encryption_method: | |
The 32-bit integer representing the encryption method used in the connection. | |
Encryption_level: | |
The 32-bit integer representing the encryption level used in the connection. |
rdp_server_certificate
Type: | event (c: connection , cert_type: count , permanently_issued: bool ) |
---|
Generated for a server certificate section. If multiple X.509 certificates are included in chain, this event will still only be generated a single time.
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Cert_type: | Indicates the type of certificate. |
Permanently_issued: | |
Value will be true is the certificate(s) is permanent on the server. |
rdp_begin_encryption
Type: | event (c: connection , security_protocol: count ) |
---|
Generated when an RDP session becomes encrypted.
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Security_protocol: | |
The security protocol being used for the session. |
Parser for rfb (VNC) analyzer
rfb_event
Type: | event (c: connection ) |
---|
Generated for RFB event
C: | The connection record for the underlying transport-layer session/flow. |
---|
rfb_authentication_type
Type: | event (c: connection , authtype: count ) |
---|
Generated for RFB event authentication mechanism selection
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Authtype: | the value of the chosen authentication mechanism |
rfb_auth_result
Type: | event (c: connection , result: bool ) |
---|
Generated for RFB event authentication result message
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Result: | whether or not authentication was succesful |
Type: | event (c: connection , flag: bool ) |
---|
Generated for RFB event share flag messages
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Flag: | whether or not the share flag was set |
rfb_client_version
Type: | event (c: connection , major_version: string , minor_version: string ) |
---|
Generated for RFB event client banner message
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Version: | of the client’s rfb library |
rfb_server_version
Type: | event (c: connection , major_version: string , minor_version: string ) |
---|
Generated for RFB event server banner message
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Version: | of the server’s rfb library |
rfb_server_parameters
Type: | event (c: connection , name: string , width: count , height: count ) |
---|
Generated for RFB event server parameter message
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Name: | name of the shared screen |
Width: | width of the shared screen |
Height: | height of the shared screen |
Analyzers for RPC-based protocols
nfs_proc_null
Type: | event (c: connection , info: NFS3::info_t ) |
---|
Generated for NFSv3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_readlink
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_proc_write
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_getattr
Type: | event (c: connection , info: NFS3::info_t , fh: string , attrs: NFS3::fattr_t ) |
---|
Generated for NFSv3 request/reply dialogues of type getattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
Fh: | TODO. |
Attrs: | The attributes returned in the reply. The values may not be valid if the request was unsuccessful. |
See also: nfs_proc_create
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_readlink
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_proc_write
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
, file_mode
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_lookup
Type: | event (c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::lookup_reply_t ) |
---|
Generated for NFSv3 request/reply dialogues of type lookup. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
Req: | The arguments passed in the request. |
Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. |
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_readlink
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_proc_write
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_read
Type: | event (c: connection , info: NFS3::info_t , req: NFS3::readargs_t , rep: NFS3::read_reply_t ) |
---|
Generated for NFSv3 request/reply dialogues of type read. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
Req: | The arguments passed in the request. |
Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. |
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_proc_write
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
, NFS3::return_data
, NFS3::return_data_first_only
, NFS3::return_data_max
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_readlink
Type: | event (c: connection , info: NFS3::info_t , fh: string , rep: NFS3::readlink_reply_t ) |
---|
Generated for NFSv3 request/reply dialogues of type readlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
Fh: | The file handle passed in the request. |
Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. |
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_proc_write
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_write
Type: | event (c: connection , info: NFS3::info_t , req: NFS3::writeargs_t , rep: NFS3::write_reply_t ) |
---|
Generated for NFSv3 request/reply dialogues of type write. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
Req: | TODO. |
Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. |
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_readlink
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
, NFS3::return_data
, NFS3::return_data_first_only
, NFS3::return_data_max
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_create
Type: | event (c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t ) |
---|
Generated for NFSv3 request/reply dialogues of type create. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
Req: | TODO. |
Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. |
See also: nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_readlink
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_proc_write
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_mkdir
Type: | event (c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t ) |
---|
Generated for NFSv3 request/reply dialogues of type mkdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
Req: | TODO. |
Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. |
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_readlink
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_proc_write
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_remove
Type: | event (c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t ) |
---|
Generated for NFSv3 request/reply dialogues of type remove. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
Req: | TODO. |
Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. |
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_readlink
, nfs_proc_rmdir
, nfs_proc_write
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_rmdir
Type: | event (c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t ) |
---|
Generated for NFSv3 request/reply dialogues of type rmdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
Req: | TODO. |
Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. |
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_readlink
, nfs_proc_remove
, nfs_proc_write
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_readdir
Type: | event (c: connection , info: NFS3::info_t , req: NFS3::readdirargs_t , rep: NFS3::readdir_reply_t ) |
---|
Generated for NFSv3 request/reply dialogues of type readdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
Req: | TODO. |
Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. |
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readlink
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_proc_write
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_not_implemented
Type: | event (c: connection , info: NFS3::info_t , proc: NFS3::proc_t ) |
---|
Generated for NFSv3 request/reply dialogues of a type that Bro’s NFSv3 analyzer does not implement.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
C: | The RPC connection. |
---|---|
Info: | Reports the status of the dialogue, along with some meta information. |
Proc: | The procedure called that Bro does not implement. |
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_readlink
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_proc_write
, nfs_reply_status
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_reply_status
Type: | event (n: connection , info: NFS3::info_t ) |
---|
Generated for each NFSv3 reply message received, reporting just the status included.
N: | The connection. |
---|---|
Info: | Reports the status included in the reply. |
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_readlink
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_proc_write
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_null
Type: | event (r: connection ) |
---|
Generated for Portmapper requests of type null.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|
See also: pm_request_set
, pm_request_unset
, pm_request_getport
, pm_request_dump
, pm_request_callit
, pm_attempt_null
, pm_attempt_set
, pm_attempt_unset
, pm_attempt_getport
, pm_attempt_dump
, pm_attempt_callit
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_set
Type: | event (r: connection , m: pm_mapping , success: bool ) |
---|
Generated for Portmapper request/reply dialogues of type set.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
M: | The argument to the request. |
Success: | True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out. |
See also: pm_request_null
, pm_request_unset
, pm_request_getport
, pm_request_dump
, pm_request_callit
, pm_attempt_null
, pm_attempt_set
, pm_attempt_unset
, pm_attempt_getport
, pm_attempt_dump
, pm_attempt_callit
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_unset
Type: | event (r: connection , m: pm_mapping , success: bool ) |
---|
Generated for Portmapper request/reply dialogues of type unset.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
M: | The argument to the request. |
Success: | True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out. |
See also: pm_request_null
, pm_request_set
, pm_request_getport
, pm_request_dump
, pm_request_callit
, pm_attempt_null
, pm_attempt_set
, pm_attempt_unset
, pm_attempt_getport
, pm_attempt_dump
, pm_attempt_callit
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_getport
Type: | event (r: connection , pr: pm_port_request , p: port ) |
---|
Generated for Portmapper request/reply dialogues of type getport.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
Pr: | The argument to the request. |
P: | The port returned by the server. |
See also: pm_request_null
, pm_request_set
, pm_request_unset
, pm_request_dump
, pm_request_callit
, pm_attempt_null
, pm_attempt_set
, pm_attempt_unset
, pm_attempt_getport
, pm_attempt_dump
, pm_attempt_callit
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_dump
Type: | event (r: connection , m: pm_mappings ) |
---|
Generated for Portmapper request/reply dialogues of type dump.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
M: | The mappings returned by the server. |
See also: pm_request_null
, pm_request_set
, pm_request_unset
, pm_request_getport
, pm_request_callit
, pm_attempt_null
, pm_attempt_set
, pm_attempt_unset
, pm_attempt_getport
, pm_attempt_dump
, pm_attempt_callit
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_callit
Type: | event (r: connection , call: pm_callit_request , p: port ) |
---|
Generated for Portmapper request/reply dialogues of type callit.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
Call: | The argument to the request. |
P: | The port value returned by the call. |
See also: pm_request_null
, pm_request_set
, pm_request_unset
, pm_request_getport
, pm_request_dump
, pm_attempt_null
, pm_attempt_set
, pm_attempt_unset
, pm_attempt_getport
, pm_attempt_dump
, pm_attempt_callit
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_null
Type: | event (r: connection , status: rpc_status ) |
---|
Generated for failed Portmapper requests of type null.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
Status: | The status of the reply, which should be one of the index values of
RPC_status . |
See also: pm_request_null
, pm_request_set
, pm_request_unset
, pm_request_getport
, pm_request_dump
, pm_request_callit
, pm_attempt_set
, pm_attempt_unset
, pm_attempt_getport
, pm_attempt_dump
, pm_attempt_callit
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_set
Type: | event (r: connection , status: rpc_status , m: pm_mapping ) |
---|
Generated for failed Portmapper requests of type set.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
Status: | The status of the reply, which should be one of the index values of
RPC_status . |
M: | The argument to the original request. |
See also: pm_request_null
, pm_request_set
, pm_request_unset
, pm_request_getport
, pm_request_dump
, pm_request_callit
, pm_attempt_null
, pm_attempt_unset
, pm_attempt_getport
, pm_attempt_dump
, pm_attempt_callit
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_unset
Type: | event (r: connection , status: rpc_status , m: pm_mapping ) |
---|
Generated for failed Portmapper requests of type unset.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
Status: | The status of the reply, which should be one of the index values of
RPC_status . |
M: | The argument to the original request. |
See also: pm_request_null
, pm_request_set
, pm_request_unset
, pm_request_getport
, pm_request_dump
, pm_request_callit
, pm_attempt_null
, pm_attempt_set
, pm_attempt_getport
, pm_attempt_dump
, pm_attempt_callit
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_getport
Type: | event (r: connection , status: rpc_status , pr: pm_port_request ) |
---|
Generated for failed Portmapper requests of type getport.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
Status: | The status of the reply, which should be one of the index values of
RPC_status . |
Pr: | The argument to the original request. |
See also: pm_request_null
, pm_request_set
, pm_request_unset
, pm_request_getport
, pm_request_dump
, pm_request_callit
, pm_attempt_null
, pm_attempt_set
, pm_attempt_unset
, pm_attempt_dump
, pm_attempt_callit
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_dump
Type: | event (r: connection , status: rpc_status ) |
---|
Generated for failed Portmapper requests of type dump.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
Status: | The status of the reply, which should be one of the index values of
RPC_status . |
See also: pm_request_null
, pm_request_set
, pm_request_unset
, pm_request_getport
, pm_request_dump
, pm_request_callit
, pm_attempt_null
, pm_attempt_set
, pm_attempt_unset
, pm_attempt_getport
, pm_attempt_callit
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_callit
Type: | event (r: connection , status: rpc_status , call: pm_callit_request ) |
---|
Generated for failed Portmapper requests of type callit.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
Status: | The status of the reply, which should be one of the index values of
RPC_status . |
Call: | The argument to the original request. |
See also: pm_request_null
, pm_request_set
, pm_request_unset
, pm_request_getport
, pm_request_dump
, pm_request_callit
, pm_attempt_null
, pm_attempt_set
, pm_attempt_unset
, pm_attempt_getport
, pm_attempt_dump
, pm_bad_port
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_bad_port
Type: | event (r: connection , bad_p: count ) |
---|
Generated for Portmapper requests or replies that include an invalid port number. Since ports are represented by unsigned 4-byte integers, they can stray outside the allowed range of 0–65535 by being >= 65536. If so, this event is generated.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
R: | The RPC connection. |
---|---|
Bad_p: | The invalid port value. |
See also: pm_request_null
, pm_request_set
, pm_request_unset
, pm_request_getport
, pm_request_dump
, pm_request_callit
, pm_attempt_null
, pm_attempt_set
, pm_attempt_unset
, pm_attempt_getport
, pm_attempt_dump
, pm_attempt_callit
, rpc_call
, rpc_dialogue
, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
rpc_dialogue
Type: | event (c: connection , prog: count , ver: count , proc: count , status: rpc_status , start_time: time , call_len: count , reply_len: count ) |
---|
Generated for RPC request/reply pairs. The RPC analyzer associates request
and reply by their transaction identifiers and raises this event once both
have been seen. If there’s not a reply, this event will still be generated
eventually on timeout. In that case, status will be set to
RPC_TIMEOUT
.
See Wikipedia for more information about the ONC RPC protocol.
C: | The connection. |
---|---|
Prog: | The remote program to call. |
Ver: | The version of the remote program to call. |
Proc: | The procedure of the remote program to call. |
Status: | The status of the reply, which should be one of the index values of
RPC_status . |
Start_time: | The time when the call was seen. |
Call_len: | The size of the call_body PDU. |
Reply_len: | The size of the reply_body PDU. |
See also: rpc_call
, rpc_reply
, dce_rpc_bind
, dce_rpc_message
, dce_rpc_request
, dce_rpc_response
, rpc_timeout
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
rpc_call
Type: | event (c: connection , xid: count , prog: count , ver: count , proc: count , call_len: count ) |
---|
Generated for RPC call messages.
See Wikipedia for more information about the ONC RPC protocol.
C: | The connection. |
---|---|
Xid: | The transaction identifier allowing to match requests with replies. |
Prog: | The remote program to call. |
Ver: | The version of the remote program to call. |
Proc: | The procedure of the remote program to call. |
Call_len: | The size of the call_body PDU. |
See also: rpc_dialogue
, rpc_reply
, dce_rpc_bind
, dce_rpc_message
, dce_rpc_request
, dce_rpc_response
, rpc_timeout
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
rpc_reply
Type: | event (c: connection , xid: count , status: rpc_status , reply_len: count ) |
---|
Generated for RPC reply messages.
See Wikipedia for more information about the ONC RPC protocol.
C: | The connection. |
---|---|
Xid: | The transaction identifier allowing to match requests with replies. |
Status: | The status of the reply, which should be one of the index values of
RPC_status . |
Reply_len: | The size of the reply_body PDU. |
See also: rpc_call
, rpc_dialogue
, dce_rpc_bind
, dce_rpc_message
, dce_rpc_request
, dce_rpc_response
, rpc_timeout
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
SIP analyzer UDP-only
sip_request
Type: | event (c: connection , method: string , original_URI: string , version: string ) |
---|
Generated for SIP requests, used in Voice over IP (VoIP).
This event is generated as soon as a request’s initial line has been parsed.
See Wikipedia for more information about the SIP protocol.
C: | The connection. |
---|---|
Method: | The SIP method extracted from the request (e.g., REGISTER , NOTIFY ). |
Original_URI: | The unprocessed URI as specified in the request. |
Version: | The version number specified in the request (e.g., 2.0 ). |
See also: sip_reply
, sip_header
, sip_all_headers
, sip_begin_entity
, sip_end_entity
sip_reply
Type: | event (c: connection , version: string , code: count , reason: string ) |
---|
Generated for SIP replies, used in Voice over IP (VoIP).
This event is generated as soon as a reply’s initial line has been parsed.
See Wikipedia for more information about the SIP protocol.
C: | The connection. |
---|---|
Version: | The SIP version in use. |
Code: | The response code. |
Reason: | Textual details for the response code. |
See also: sip_request
, sip_header
, sip_all_headers
, sip_begin_entity
, sip_end_entity
sip_header
Type: | event (c: connection , is_orig: bool , name: string , value: string ) |
---|
Generated for each SIP header.
See Wikipedia for more information about the SIP protocol.
C: | The connection. |
---|---|
Is_orig: | Whether the header came from the originator. |
Name: | Header name. |
Value: | Header value. |
See also: sip_request
, sip_reply
, sip_all_headers
, sip_begin_entity
, sip_end_entity
sip_all_headers
Type: | event (c: connection , is_orig: bool , hlist: mime_header_list ) |
---|
Generated once for all SIP headers from the originator or responder.
See Wikipedia for more information about the SIP protocol.
C: | The connection. |
---|---|
Is_orig: | Whether the headers came from the originator. |
Hlist: | All the headers, and their values |
See also: sip_request
, sip_reply
, sip_header
, sip_begin_entity
, sip_end_entity
sip_begin_entity
Type: | event (c: connection , is_orig: bool ) |
---|
Generated at the beginning of a SIP message.
This event is generated as soon as a message’s initial line has been parsed.
See Wikipedia for more information about the SIP protocol.
C: | The connection. |
---|---|
Is_orig: | Whether the message came from the originator. |
See also: sip_request
, sip_reply
, sip_header
, sip_all_headers
, sip_end_entity
sip_end_entity
Type: | event (c: connection , is_orig: bool ) |
---|
Generated at the end of a SIP message.
See Wikipedia for more information about the SIP protocol.
C: | The connection. |
---|---|
Is_orig: | Whether the message came from the originator. |
See also: sip_request
, sip_reply
, sip_header
, sip_all_headers
, sip_begin_entity
SMB analyzer
SMB::pipe_filenames
Type: | set [string ] |
---|---|
Attributes: | &redef |
Default: |
{
"lsarpc",
"samr",
"MsFteWds",
"spoolss",
"winreg",
"srvsvc",
"netdfs",
"wkssvc"
}
A set of file names used as named pipes over SMB. This only comes into play as a heuristic to identify named pipes when the drive mapping wasn’t seen by Bro.
See also: smb_pipe_connect_heuristic
SMB1::NegotiateResponse
Type: |
|
---|
SMB1::NegotiateResponseLANMAN
Type: |
|
---|
SMB1::NegotiateResponseNTLM
Type: |
|
---|
SMB1::NegotiateResponseSecurity
Type: |
|
---|
SMB1::NegotiateRawMode
Type: |
---|
SMB1::NegotiateCapabilities
Type: |
|
---|
SMB1::SessionSetupAndXRequest
Type: |
|
---|
SMB1::SessionSetupAndXResponse
Type: |
|
---|
SMB1::SessionSetupAndXCapabilities
Type: |
|
---|
SMB1::Find_First2_Request_Args
Type: |
|
---|
SMB1::Find_First2_Response_Args
Type: |
|
---|
SMB2::CloseResponse
Type: |
|
---|
The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.
For more information, see MS-SMB2:2.2.16
See also: smb2_close_response
SMB2::NegotiateResponse
Type: |
|
---|
The response to an SMB2 negotiate request, which is used by tghe client to notify the server what dialects of the SMB2 protocol the client understands.
For more information, see MS-SMB2:2.2.4
See also: smb2_negotiate_response
SMB2::SessionSetupRequest
Type: |
|
---|
The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
For more information, see MS-SMB2:2.2.5
See also: smb2_session_setup_request
SMB2::SessionSetupResponse
Type: |
|
---|
The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
For more information, see MS-SMB2:2.2.6
See also: smb2_session_setup_response
SMB2::SessionSetupFlags
Type: |
---|
A flags field that indicates additional information about the session that’s sent in the session_setup response.
For more information, see MS-SMB2:2.2.6
See also: smb2_session_setup_response
SMB2::TreeConnectResponse
Type: |
|
---|
The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.
For more information, see MS-SMB2:2.2.9
See also: smb2_tree_connect_response
SMB::MACTimes
Type: | |
---|---|
Attributes: |
MAC times for a file.
For more information, see MS-SMB2:2.2.16
See also: smb1_nt_create_andx_response
, smb2_create_response
SMB1::Header
Type: |
---|
An SMB1 header.
See also: smb1_message
, smb1_empty_response
, smb1_error
, smb1_check_directory_request
, smb1_check_directory_response
, smb1_close_request
, smb1_create_directory_request
, smb1_create_directory_response
, smb1_echo_request
, smb1_echo_response
, smb1_negotiate_request
, smb1_negotiate_response
, smb1_nt_cancel_request
, smb1_nt_create_andx_request
, smb1_nt_create_andx_response
, smb1_query_information_request
, smb1_read_andx_request
, smb1_read_andx_response
, smb1_session_setup_andx_request
, smb1_session_setup_andx_response
, smb1_transaction_request
, smb1_transaction2_request
, smb1_trans2_find_first2_request
, smb1_trans2_query_path_info_request
, smb1_trans2_get_dfs_referral_request
, smb1_tree_connect_andx_request
, smb1_tree_connect_andx_response
, smb1_tree_disconnect
, smb1_write_andx_request
, smb1_write_andx_response
SMB2::Header
Type: |
|
---|
An SMB2 header.
For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2
See also: smb2_message
, smb2_close_request
, smb2_close_response
, smb2_create_request
, smb2_create_response
, smb2_negotiate_request
, smb2_negotiate_response
, smb2_read_request
, smb2_session_setup_request
, smb2_session_setup_response
, smb2_file_rename
, smb2_file_delete
, smb2_tree_connect_request
, smb2_tree_connect_response
, smb2_write_request
SMB2::GUID
Type: |
---|
An SMB2 globally unique identifier which identifies a file.
For more information, see MS-SMB2:2.2.14.1
See also: smb2_close_request
, smb2_create_response
, smb2_read_request
, smb2_file_rename
, smb2_file_delete
, smb2_write_request
SMB2::FileAttrs
Type: |
|
---|
A series of boolean flags describing basic and extended file attributes for SMB2.
For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6
See also: smb2_create_response
smb1_check_directory_request
Type: | event (c: connection , hdr: SMB1::Header , directory_name: string ) |
---|
Generated for SMB/CIFS version 1 requests of type check directory. This is used by the client to verify that a specified path resolves to a valid directory on the server.
For more information, see MS-CIFS:2.2.4.17
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Directory_name: | The directory name to check for existence. |
See also: smb1_message
, smb1_check_directory_response
smb1_check_directory_response
Type: | event (c: connection , hdr: SMB1::Header ) |
---|
Generated for SMB/CIFS version 1 responses of type check directory. This is the server response to the check directory request.
For more information, see MS-CIFS:2.2.4.17
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
See also: smb1_message
, smb1_check_directory_request
smb1_close_request
Type: | event (c: connection , hdr: SMB1::Header , file_id: count ) |
---|
Generated for SMB/CIFS version 1 requests of type close. This is used by the client to close an instance of an object associated with a valid file ID.
For more information, see MS-CIFS:2.2.4.5
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
File_id: | The file identifier being closed. |
See also: smb1_message
smb1_create_directory_request
Type: | event (c: connection , hdr: SMB1::Header , directory_name: string ) |
---|
Generated for SMB/CIFS version 1 requests of type create directory. This is a deprecated command which has been replaced by the trans2_create_directory subcommand. This is used by the client to create a new directory on the server, relative to a connected share.
For more information, see MS-CIFS:2.2.4.1
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Directory_name: | The name of the directory to create. |
See also: smb1_message
, smb1_create_directory_response
, smb1_transaction2_request
smb1_create_directory_response
Type: | event (c: connection , hdr: SMB1::Header ) |
---|
Generated for SMB/CIFS version 1 responses of type create directory. This is a deprecated command which has been replaced by the trans2_create_directory subcommand. This is the server response to the create directory request.
For more information, see MS-CIFS:2.2.4.1
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
See also: smb1_message
, smb1_create_directory_request
, smb1_transaction2_request
smb1_echo_request
Type: | event (c: connection , echo_count: count , data: string ) |
---|
Generated for SMB/CIFS version 1 requests of type echo. This is sent by the client to test the transport layer connection with the server.
For more information, see MS-CIFS:2.2.4.39
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Echo_count: | The number of times the server should echo the data back. |
Data: | The data for the server to echo. |
See also: smb1_message
, smb1_echo_response
smb1_echo_response
Type: | event (c: connection , seq_num: count , data: string ) |
---|
Generated for SMB/CIFS version 1 responses of type echo. This is the server response to the echo request.
For more information, see MS-CIFS:2.2.4.39
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Seq_num: | The sequence number of this echo reply. |
Data: | The data echoed back from the client. |
See also: smb1_message
, smb1_echo_request
smb1_logoff_andx
Type: | event (c: connection , is_orig: bool ) |
---|
Generated for SMB/CIFS version 1 requests of type logoff andx. This is used by the client to logoff the user connection represented by UID in the SMB Header. The server releases all locks and closes all files currently open by this user, disconnects all tree connects, cancels any outstanding requests for this UID, and invalidates the UID.
For more information, see MS-CIFS:2.2.4.54
C: | The connection. |
---|---|
Is_orig: | Indicates which host sent the logoff message. |
See also: smb1_message
smb1_negotiate_request
Type: | event (c: connection , hdr: SMB1::Header , dialects: string_vec ) |
---|
Generated for SMB/CIFS version 1 requests of type negotiate. This is sent by the client to initiate an SMB connection between the client and the server. A negotiate exchange MUST be completed before any other SMB messages are sent to the server.
For more information, see MS-CIFS:2.2.4.52
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Dialects: | The SMB dialects supported by the client. |
See also: smb1_message
, smb1_negotiate_response
smb1_negotiate_response
Type: | event (c: connection , hdr: SMB1::Header , response: SMB1::NegotiateResponse ) |
---|
Generated for SMB/CIFS version 1 responses of type negotiate. This is the server response to the negotiate request.
For more information, see MS-CIFS:2.2.4.52
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Response: | A record structure containing more information from the response. |
See also: smb1_message
, smb1_negotiate_request
smb1_nt_create_andx_request
Type: | event (c: connection , hdr: SMB1::Header , file_name: string ) |
---|
Generated for SMB/CIFS version 1 requests of type nt create andx. This is sent by the client to create and open a new file, or to open an existing file, or to open and truncate an existing file to zero length, or to create a directory, or to create a connection to a named pipe.
For more information, see MS-CIFS:2.2.4.64
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Name: | The name attribute specified in the message. |
See also: smb1_message
, smb1_nt_create_andx_response
smb1_nt_create_andx_response
Type: | event (c: connection , hdr: SMB1::Header , file_id: count , file_size: count , times: SMB::MACTimes ) |
---|
Generated for SMB/CIFS version 1 responses of type nt create andx. This is the server response to the nt create andx request.
For more information, see MS-CIFS:2.2.4.64
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
File_id: | The SMB2 GUID for the file. |
File_size: | Size of the file. |
Times: | Timestamps associated with the file in question. |
See also: smb1_message
, smb1_nt_create_andx_request
smb1_nt_cancel_request
Type: | event (c: connection , hdr: SMB1::Header ) |
---|
Generated for SMB/CIFS version 1 requests of type nt cancel. This is sent by the client to request that a currently pending request be cancelled.
For more information, see MS-CIFS:2.2.4.65
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
See also: smb1_message
smb1_query_information_request
Type: | event (c: connection , hdr: SMB1::Header , filename: string ) |
---|
Generated for SMB/CIFS version 1 requests of type query information. This is a deprecated command which has been replaced by the trans2_query_path_information subcommand. This is used by the client to obtain attribute information about a file.
For more information, see MS-CIFS:2.2.4.9
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Filename: | The filename that the client is querying. |
See also: smb1_message
, smb1_transaction2_request
smb1_read_andx_request
Type: | event (c: connection , hdr: SMB1::Header , file_id: count , offset: count , length: count ) |
---|
Generated for SMB/CIFS version 1 requests of type read andx. This is sent by the client to read bytes from a regular file, a named pipe, or a directly accessible device such as a serial port (COM) or printer port (LPT).
For more information, see MS-CIFS:2.2.4.42
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
File_id: | The file identifier being written to. |
Offset: | The byte offset the requested read begins at. |
Length: | The number of bytes being requested. |
See also: smb1_message
, smb1_read_andx_response
smb1_read_andx_response
Type: | event (c: connection , hdr: SMB1::Header , data_len: count ) |
---|
Generated for SMB/CIFS version 1 responses of type read andx. This is the server response to the read andx request.
For more information, see MS-CIFS:2.2.4.42
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Data_len: | The length of data from the requested file. |
See also: smb1_message
, smb1_read_andx_request
smb1_session_setup_andx_request
Type: | event (c: connection , hdr: SMB1::Header , request: SMB1::SessionSetupAndXRequest ) |
---|
Generated for SMB/CIFS version 1 requests of type setup andx. This is sent by the client to configure an SMB session.
For more information, see MS-CIFS:2.2.4.53
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Request: | The parsed request data of the SMB message. See init-bare for more details. |
See also: smb1_message
, smb1_session_setup_andx_response
smb1_session_setup_andx_response
Type: | event (c: connection , hdr: SMB1::Header , response: SMB1::SessionSetupAndXResponse ) |
---|
Generated for SMB/CIFS version 1 responses of type setup andx. This is the server response to the setup andx request.
For more information, see MS-CIFS:2.2.4.53
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Response: | The parsed response data of the SMB message. See init-bare for more details. |
See also: smb1_message
, smb1_session_setup_andx_request
smb1_transaction_request
Type: | event (c: connection , hdr: SMB1::Header , name: string , sub_cmd: count ) |
---|
Generated for SMB/CIFS version 1 requests of type transaction. This command serves as the transport for the Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, which are interprocess communication endpoints within the CIFS file system.
For more information, see MS-CIFS:2.2.4.33
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Name: | A name string that MAY identify the resource (a specific Mailslot or Named Pipe) against which the operation is performed. |
Sub_cmd: | The sub command, some may be parsed and have their own events. |
See also: smb1_message
, smb1_transaction2_request
smb1_transaction2_request
Type: | event (c: connection , hdr: SMB1::Header , sub_cmd: count ) |
---|
Generated for SMB/CIFS version 1 requests of type transaction2. This command serves as the transport for the Transaction2 Subprotocol Commands. These commands operate on mailslots and named pipes, which are interprocess communication endpoints within the CIFS file system. Compared to the Transaction Subprotocol Commands, these commands allow clients to set and retrieve Extended Attribute key/value pairs, make use of long file names (longer than the original 8.3 format names), and perform directory searches, among other tasks.
For more information, see MS-CIFS:2.2.4.46
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Sub_cmd: | The sub command, some are parsed and have their own events. |
See also: smb1_message
, smb1_trans2_find_first2_request
, smb1_trans2_query_path_info_request
, smb1_trans2_get_dfs_referral_request
, smb1_transaction_request
smb1_trans2_find_first2_request
Type: | event (c: connection , hdr: SMB1::Header , args: SMB1::Find_First2_Request_Args ) |
---|
Generated for SMB/CIFS version 1 transaction2 requests of subtype find first2. This transaction is used to begin a search for file(s) within a directory or for a directory
For more information, see MS-CIFS:2.2.6.2
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Args: | A record data structure with arguments given to the command. |
See also: smb1_message
, smb1_transaction2_request
, smb1_trans2_query_path_info_request
, smb1_trans2_get_dfs_referral_request
smb1_trans2_query_path_info_request
Type: | event (c: connection , hdr: SMB1::Header , file_name: string ) |
---|
Generated for SMB/CIFS version 1 transaction2 requests of subtype query path info. This transaction is used to get information about a specific file or directory.
For more information, see MS-CIFS:2.2.6.6
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
File_name: | File name the request is in reference to. |
See also: smb1_message
, smb1_transaction2_request
, smb1_trans2_find_first2_request
, smb1_trans2_get_dfs_referral_request
smb1_trans2_get_dfs_referral_request
Type: | event (c: connection , hdr: SMB1::Header , file_name: string ) |
---|
Generated for SMB/CIFS version 1 transaction2 requests of subtype get DFS referral. This transaction is used to request a referral for a disk object in DFS.
For more information, see MS-CIFS:2.2.6.16
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
File_name: | File name the request is in reference to. |
See also: smb1_message
, smb1_transaction2_request
, smb1_trans2_find_first2_request
, smb1_trans2_query_path_info_request
smb1_tree_connect_andx_request
Type: | event (c: connection , hdr: SMB1::Header , path: string , service: string ) |
---|
Generated for SMB/CIFS version 1 requests of type tree connect andx. This is sent by the client to establish a connection to a server share.
For more information, see MS-CIFS:2.2.4.55
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Path: | The path attribute specified in the message. |
Service: | The service attribute specified in the message. |
See also: smb1_message
, smb1_tree_connect_andx_response
smb1_tree_connect_andx_response
Type: | event (c: connection , hdr: SMB1::Header , service: string , native_file_system: string ) |
---|
Generated for SMB/CIFS version 1 responses of type tree connect andx. This is the server reply to the tree connect andx request.
For more information, see MS-CIFS:2.2.4.55
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Service: | The service attribute specified in the message. |
Native_file_system: | |
The file system of the remote server as indicate by the server. |
See also: smb1_message
, smb1_tree_connect_andx_request
smb1_tree_disconnect
Type: | event (c: connection , hdr: SMB1::Header , is_orig: bool ) |
---|
Generated for SMB/CIFS version 1 requests of type tree disconnect. This is sent by the client to logically disconnect client access to a server resource.
For more information, see MS-CIFS:2.2.4.51
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Is_orig: | True if the message was from the originator. |
See also: smb1_message
smb1_write_andx_request
Type: | event (c: connection , hdr: SMB1::Header , file_id: count , offset: count , data_len: count ) |
---|
Generated for SMB/CIFS version 1 requests of type write andx. This is sent by the client to write bytes to a regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM) or printer port (LPT).
For more information, see MS-CIFS:2.2.4.43
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Offset: | The byte offset into the referenced file data is being written. |
Data: | The data being written. |
See also: smb1_message
, smb1_write_andx_response
smb1_write_andx_response
Type: | event (c: connection , hdr: SMB1::Header , written_bytes: count ) |
---|
Generated for SMB/CIFS version 1 responses of type write andx. This is the server response to the write andx request.
For more information, see MS-CIFS:2.2.4.43
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Written_bytes: | The number of bytes the server reported having actually written. |
See also: smb1_message
, smb1_write_andx_request
smb1_message
Type: | event (c: connection , hdr: SMB1::Header , is_orig: bool ) |
---|
Generated for all SMB/CIFS version 1 messages.
See Wikipedia for more information about the SMB/CIFS protocol. Bro’s SMB/CIFS analyzer parses both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 1 message. |
Is_orig: | True if the message was sent by the originator of the underlying transport-level connection. |
See also: smb2_message
smb1_empty_response
Type: | event (c: connection , hdr: SMB1::Header ) |
---|
Generated when there is an SMB version 1 response with no message body.
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB message. |
See also: smb1_message
smb1_error
Type: | event (c: connection , hdr: SMB1::Header , is_orig: bool ) |
---|
Generated for SMB version 1 messages that indicate an error. This event is triggered by an SMB header including a status that signals an error.
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB message. |
Is_orig: | True if the message was sent by the originator of the underlying transport-level connection. |
See also: smb1_message
smb2_close_request
Type: | event (c: connection , hdr: SMB2::Header , file_id: SMB2::GUID ) |
---|
Generated for SMB/CIFS version 2 requests of type close. This is used by the client to close an instance of a file that was opened previously with a successful SMB2 CREATE Request.
For more information, see MS-SMB2:2.2.15
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
File_name: | The SMB2 GUID of the file being closed. |
See also: smb2_message
, smb2_close_response
smb2_close_response
Type: | event (c: connection , hdr: SMB2::Header , response: SMB2::CloseResponse ) |
---|
Generated for SMB/CIFS version 2 responses of type close. This is sent by the server to indicate that an SMB2 CLOSE request was processed successfully.
For more information, see MS-SMB2:2.2.16
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
Response: | A record of attributes returned from the server from the close. |
See also: smb2_message
, smb2_close_request
smb2_create_request
Type: | event (c: connection , hdr: SMB2::Header , file_name: string ) |
---|
Generated for SMB/CIFS version 2 requests of type create. This is sent by the client to request either creation of or access to a file.
For more information, see MS-SMB2:2.2.13
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
File_name: | The name of the file being requested. |
See also: smb2_message
, smb2_create_response
smb2_create_response
Type: | event (c: connection , hdr: SMB2::Header , file_id: SMB2::GUID , size: count , times: SMB::MACTimes , attrs: SMB2::FileAttrs ) |
---|
Generated for SMB/CIFS version 2 responses of type create. This is sent by the server to notify the client of the status of its SMB2 CREATE request.
For more information, see MS-SMB2:2.2.14
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
File_id: | The SMB2 GUID for the file. |
Size: | Size of the file. |
Times: | Timestamps associated with the file in question. |
Attrs: | File attributes. |
See also: smb2_message
, smb2_create_request
smb2_negotiate_request
Type: | event (c: connection , hdr: SMB2::Header , dialects: index_vec ) |
---|
Generated for SMB/CIFS version 2 requests of type negotiate. This is used by the client to notify the server what dialects of the SMB2 Protocol the client understands.
For more information, see MS-SMB2:2.2.3
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
Dialects: | A vector of the client’s supported dialects. |
See also: smb2_message
, smb2_negotiate_response
smb2_negotiate_response
Type: | event (c: connection , hdr: SMB2::Header , response: SMB2::NegotiateResponse ) |
---|
Generated for SMB/CIFS version 2 responses of type negotiate. This is sent by the server to notify the client of the preferred common dialect.
For more information, see MS-SMB2:2.2.4
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
Response: | The negotiate response data structure. |
See also: smb2_message
, smb2_negotiate_request
smb2_read_request
Type: | event (c: connection , hdr: SMB2::Header , file_id: SMB2::GUID , offset: count , length: count ) |
---|
Generated for SMB/CIFS version 2 requests of type read. This is sent by the client to request a read operation on the specified file.
For more information, see MS-SMB2:2.2.19
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
File_id: | The GUID being used for the file. |
Offset: | How far into the file this read should be taking place. |
Length: | The number of bytes of the file being read. |
See also: smb2_message
smb2_session_setup_request
Type: | event (c: connection , hdr: SMB2::Header , request: SMB2::SessionSetupRequest ) |
---|
Generated for SMB/CIFS version 2 requests of type session_setup. This is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
For more information, see MS-SMB2:2.2.5
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
Request: | A record containing more information related to the request. |
See also: smb2_message
, smb2_session_setup_response
smb2_session_setup_response
Type: | event (c: connection , hdr: SMB2::Header , response: SMB2::SessionSetupResponse ) |
---|
Generated for SMB/CIFS version 2 responses of type session_setup. This is sent by the server in response to a session_setup request.
For more information, see MS-SMB2:2.2.6
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
Response: | A record containing more information related to the response. |
See also: smb2_message
, smb2_session_setup_request
smb2_file_rename
Type: | event (c: connection , hdr: SMB2::Header , file_id: SMB2::GUID , dst_filename: string ) |
---|
Generated for SMB/CIFS version 2 requests of type set_info of the rename subtype.
For more information, see MS-SMB2:2.2.39
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
File_id: | A GUID to identify the file. |
Dst_filename: | The filename to rename the file into. |
See also: smb2_message
, smb2_file_delete
smb2_file_delete
Type: | event (c: connection , hdr: SMB2::Header , file_id: SMB2::GUID , delete_pending: bool ) |
---|
Generated for SMB/CIFS version 2 requests of type set_info of the delete subtype.
For more information, see MS-SMB2:2.2.39
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
Delete_pending: | A boolean value to indicate that a file should be deleted when it’s closed if set to T. |
See also: smb2_message
, smb2_file_rename
smb2_tree_connect_request
Type: | event (c: connection , hdr: SMB2::Header , path: string ) |
---|
Generated for SMB/CIFS version 2 requests of type tree_connect. This is sent by a client to request access to a particular share on the server.
For more information, see MS-SMB2:2.2.9
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
Path: | Path of the requested tree. |
See also: smb2_message
, smb2_tree_connect_response
smb2_tree_connect_response
Type: | event (c: connection , hdr: SMB2::Header , response: SMB2::TreeConnectResponse ) |
---|
Generated for SMB/CIFS version 2 responses of type tree_connect. This is sent by the server when a tree_connect request is successfully processed by the server.
For more information, see MS-SMB2:2.2.10
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
Response: | A record with more information related to the response. |
See also: smb2_message
, smb2_tree_connect_request
smb2_tree_disconnect_request
Type: | event (c: connection , hdr: SMB2::Header ) |
---|
Generated for SMB/CIFS version 2 requests of type tree disconnect. This is sent by the client to logically disconnect client access to a server resource.
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
See also: smb2_message
smb2_tree_disconnect_response
Type: | event (c: connection , hdr: SMB2::Header ) |
---|
Generated for SMB/CIFS version 2 requests of type tree disconnect. This is sent by the server to logically disconnect client access to a server resource.
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
See also: smb2_message
smb2_write_request
Type: | event (c: connection , hdr: SMB2::Header , file_id: SMB2::GUID , offset: count , length: count ) |
---|
Generated for SMB/CIFS version 2 requests of type write. This is sent by the client to write data to the file or named pipe on the server.
For more information, see MS-SMB2:2.2.21
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
File_id: | The GUID being used for the file. |
Offset: | How far into the file this write should be taking place. |
Length: | The number of bytes of the file being written. |
See also: smb2_message
smb2_message
Type: | event (c: connection , hdr: SMB2::Header , is_orig: bool ) |
---|
Generated for SMB/CIFS version 2 messages.
See Wikipedia for more information about the SMB/CIFS protocol. Bro’s SMB/CIFS analyzer parses both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
C: | The connection. |
---|---|
Hdr: | The parsed header of the SMB version 2 message. |
Is_orig: | True if the message came from the originator side. |
See also: smb1_message
smb_pipe_connect_heuristic
Type: | event (c: connection ) |
---|
Generated for SMB connections when a
named pipe has been detected heuristically. The case when this comes
up is when the drive mapping isn’t seen so the analyzer is not able
to determine whether to send the data to the files framework or to
the DCE_RPC analyzer. This heuristic can be tuned by adding or
removing “named pipe” names from the SMB::pipe_filenames
const.
C: | The connection. |
---|
SMTP analyzer
smtp_request
Type: | event (c: connection , is_orig: bool , command: string , arg: string ) |
---|
Generated for client-side SMTP commands.
See Wikipedia for more information about the SMTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the sender of the command is the originator of the TCP
connection. Note that this is not redundant: the SMTP TURN command
allows client and server to flip roles on established SMTP sessions,
and hence a “request” might still come from the TCP-level responder.
In practice, however, that will rarely happen as TURN is considered
insecure and rarely used. |
Command: | The request’s command, without any arguments. |
Arg: | The request command’s arguments. |
See also: mime_all_data
, mime_all_headers
, mime_begin_entity
, mime_content_hash
, mime_end_entity
, mime_entity_data
, mime_event
, mime_one_header
, mime_segment_data
, smtp_data
, smtp_reply
Note
Bro does not support the newer ETRN extension yet.
smtp_reply
Type: | event (c: connection , is_orig: bool , code: count , cmd: string , msg: string , cont_resp: bool ) |
---|
Generated for server-side SMTP commands.
See Wikipedia for more information about the SMTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the sender of the command is the originator of the TCP
connection. Note that this is not redundant: the SMTP TURN command
allows client and server to flip roles on established SMTP sessions,
and hence a “reply” might still come from the TCP-level originator. In
practice, however, that will rarely happen as TURN is considered
insecure and rarely used. |
Code: | The reply’s numerical code. |
Cmd: | TODO. |
Msg: | The reply’s textual description. |
Cont_resp: | True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further. |
See also: mime_all_data
, mime_all_headers
, mime_begin_entity
, mime_content_hash
, mime_end_entity
, mime_entity_data
, mime_event
, mime_one_header
, mime_segment_data
, smtp_data
, smtp_request
Note
Bro doesn’t support the newer ETRN extension yet.
smtp_data
Type: | event (c: connection , is_orig: bool , data: string ) |
---|
Generated for DATA transmitted on SMTP sessions. This event is raised for
subsequent chunks of raw data following the DATA
SMTP command until the
corresponding end marker .
is seen. A handler may want to reassemble
the pieces as they come in if stream-analysis is required.
See Wikipedia for more information about the SMTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the sender of the data is the originator of the TCP connection. |
Data: | The raw data. Note that the size of each chunk is undefined and depends on specifics of the underlying TCP connection. |
See also: mime_all_data
, mime_all_headers
, mime_begin_entity
, mime_content_hash
, mime_end_entity
, mime_entity_data
, mime_event
, mime_one_header
, mime_segment_data
, smtp_reply
, smtp_request
, skip_smtp_data
Note
This event receives the unprocessed raw data. There is a separate
set of mime_*
events that strip out the outer MIME-layer of emails and
provide structured access to their content.
smtp_unexpected
Type: | event (c: connection , is_orig: bool , msg: string , detail: string ) |
---|
Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks the state of SMTP sessions and reports commands and other activity with this event that it sees even though it would not expect so at the current point of the communication.
See Wikipedia for more information about the SMTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the sender of the unexpected activity is the originator of the TCP connection. |
Msg: | A descriptive message of what was unexpected. |
Detail: | The actual SMTP line triggering the event. |
See also: smtp_data
, smtp_request
, smtp_reply
smtp_starttls
Type: | event (c: connection ) |
---|
Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS. After this event no more SMTP events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.
C: | The connection. |
---|
skip_smtp_data
Type: | function (c: connection ) : any |
---|
Skips SMTP data until the next email in a connection.
C: | The SMTP connection. |
---|
See also: skip_http_entity_data
SNMP analyzer
SNMP::Header
Type: |
version:
|
---|
A generic SNMP header data structure that may include data from
any version of SNMP. The value of the version
field
determines what header field is initialized.
SNMP::HeaderV1
Type: |
community: |
---|
The top-level message data structure of an SNMPv1 datagram, not including the PDU data. See RFC 1157.
SNMP::HeaderV2
Type: |
community: |
---|
The top-level message data structure of an SNMPv2 datagram, not including the PDU data. See RFC 1901.
SNMP::HeaderV3
Type: |
id: max_size: flags: auth_flag: priv_flag: reportable_flag: security_model: security_params: pdu_context: |
---|
The top-level message data structure of an SNMPv3 datagram, not including the PDU data. See RFC 3412.
SNMP::PDU
Type: |
request_id: error_status: error_index: bindings: |
---|
SNMP::TrapPDU
Type: |
enterprise: agent: generic_trap: specific_trap: time_stamp: bindings: |
---|
A Trap-PDU
data structure from RFC 1157.
SNMP::BulkPDU
Type: |
request_id: non_repeaters: max_repititions: bindings: |
---|
A BulkPDU
data structure from RFC 3416.
SNMP::ScopedPDU_Context
Type: |
engine_id: name: |
---|
The ScopedPduData
data structure of an SNMPv3 datagram, not
including the PDU data (i.e. just the “context” fields).
See RFC 3412.
SNMP::ObjectValue
Type: |
tag: |
---|
A generic SNMP object value, that may include any of the
valid ObjectSyntax
values from RFC 1155 or RFC 3416.
The value is decoded whenever possible and assigned to
the appropriate field, which can be determined from the value
of the tag
field. For tags that can’t be mapped to an
appropriate type, the octets
field holds the BER encoded
ASN.1 content if there is any (though, octets
is may also
be used for other tags such as OCTET STRINGS or Opaque). Null
values will only have their corresponding tag value set.
SNMP::Binding
Type: |
oid: value: |
---|
The VarBind
data structure from either RFC 1157 or
RFC 3416, which maps an Object Identifier to a value.
SNMP::Bindings
Type: | vector of SNMP::Binding |
---|
A VarBindList
data structure from either RFC 1157 or RFC 3416.
A sequences of SNMP::Binding
, which maps an OIDs to values.
snmp_get_request
Type: | event (c: connection , is_orig: bool , header: SNMP::Header , pdu: SNMP::PDU ) |
---|
An SNMP GetRequest-PDU
message from either RFC 1157 or RFC 3416.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
Pdu: | An SNMP PDU data structure. |
snmp_get_next_request
Type: | event (c: connection , is_orig: bool , header: SNMP::Header , pdu: SNMP::PDU ) |
---|
An SNMP GetNextRequest-PDU
message from either RFC 1157 or
RFC 3416.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
Pdu: | An SNMP PDU data structure. |
snmp_response
Type: | event (c: connection , is_orig: bool , header: SNMP::Header , pdu: SNMP::PDU ) |
---|
An SNMP GetResponse-PDU
message from RFC 1157 or a
Response-PDU
from RFC 3416.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
Pdu: | An SNMP PDU data structure. |
snmp_set_request
Type: | event (c: connection , is_orig: bool , header: SNMP::Header , pdu: SNMP::PDU ) |
---|
An SNMP SetRequest-PDU
message from either RFC 1157 or RFC 3416.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
Pdu: | An SNMP PDU data structure. |
snmp_trap
Type: | event (c: connection , is_orig: bool , header: SNMP::Header , pdu: SNMP::TrapPDU ) |
---|
An SNMP Trap-PDU
message from RFC 1157.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
Pdu: | An SNMP PDU data structure. |
snmp_get_bulk_request
Type: | event (c: connection , is_orig: bool , header: SNMP::Header , pdu: SNMP::BulkPDU ) |
---|
An SNMP GetBulkRequest-PDU
message from RFC 3416.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
Pdu: | An SNMP PDU data structure. |
snmp_inform_request
Type: | event (c: connection , is_orig: bool , header: SNMP::Header , pdu: SNMP::PDU ) |
---|
An SNMP InformRequest-PDU
message from RFC 3416.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
Pdu: | An SNMP PDU data structure. |
snmp_trapV2
Type: | event (c: connection , is_orig: bool , header: SNMP::Header , pdu: SNMP::PDU ) |
---|
An SNMP SNMPv2-Trap-PDU
message from RFC 1157.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
Pdu: | An SNMP PDU data structure. |
snmp_report
Type: | event (c: connection , is_orig: bool , header: SNMP::Header , pdu: SNMP::PDU ) |
---|
An SNMP Report-PDU
message from RFC 3416.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
Pdu: | An SNMP PDU data structure. |
snmp_unknown_pdu
Type: | event (c: connection , is_orig: bool , header: SNMP::Header , tag: count ) |
---|
An SNMP PDU message of unknown type.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
Tag: | The tag of the unknown SNMP PDU. |
snmp_unknown_scoped_pdu
Type: | event (c: connection , is_orig: bool , header: SNMP::Header , tag: count ) |
---|
An SNMPv3 ScopedPDUData
of unknown type (neither plaintext or
an encrypted PDU was in the datagram).
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
Tag: | The tag of the unknown SNMP PDU scope. |
snmp_encrypted_pdu
Type: | event (c: connection , is_orig: bool , header: SNMP::Header ) |
---|
An SNMPv3 encrypted PDU message.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Header: | SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure. |
snmp_unknown_header_version
Type: | event (c: connection , is_orig: bool , version: count ) |
---|
A datagram with an unknown SNMP version.
C: | The connection over which the SNMP datagram is sent. |
---|---|
Is_orig: | The endpoint which sent the SNMP datagram. |
Version: | The value of the unknown SNMP version. |
SOCKS analyzer
socks_request
Type: | event (c: connection , version: count , request_type: count , sa: SOCKS::Address , p: port , user: string ) |
---|
Generated when a SOCKS request is analyzed.
C: | The parent connection of the proxy. |
---|---|
Version: | The version of SOCKS this message used. |
Request_type: | The type of the request. |
Sa: | Address that the tunneled traffic should be sent to. |
P: | The destination port for the proxied traffic. |
User: | Username given for the SOCKS connection. This is not yet implemented for SOCKSv5. |
socks_reply
Type: | event (c: connection , version: count , reply: count , sa: SOCKS::Address , p: port ) |
---|
Generated when a SOCKS reply is analyzed.
C: | The parent connection of the proxy. |
---|---|
Version: | The version of SOCKS this message used. |
Reply: | The status reply from the server. |
Sa: | The address that the server sent the traffic to. |
P: | The destination port for the proxied traffic. |
socks_login_userpass_request
Type: | event (c: connection , user: string , password: string ) |
---|
Generated when a SOCKS client performs username and password based login.
C: | The parent connection of the proxy. |
---|---|
User: | The given username. |
Password: | The given password. |
socks_login_userpass_reply
Type: | event (c: connection , code: count ) |
---|
Generated when a SOCKS server replies to a username/password login attempt.
C: | The parent connection of the proxy. |
---|---|
Code: | The response code for the attempted login. |
Secure Shell analyzer
SSH::Algorithm_Prefs
Type: |
---|
The client and server each have some preferences for the algorithms used in each direction.
SSH::Capabilities
Type: |
|
---|
This record lists the preferences of an SSH endpoint for algorithm selection. During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. See RFC 4253#section-7.1 for details.
ssh_server_version
Type: | event (c: connection , version: string ) |
---|
An SSH Protocol Version Exchange message from the server. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.
C: | The connection over which the message was sent. |
---|---|
Version: | The identification string |
See also: ssh_client_version
, ssh_auth_successful
, ssh_auth_failed
, ssh_auth_result
, ssh_auth_attempted
, ssh_capabilities
, ssh2_server_host_key
, ssh1_server_host_key
, ssh_server_host_key
, ssh_encrypted_packet
, ssh2_dh_server_params
, ssh2_gss_error
, ssh2_ecc_key
ssh_client_version
Type: | event (c: connection , version: string ) |
---|
An SSH Protocol Version Exchange message from the client. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.
C: | The connection over which the message was sent. |
---|---|
Version: | The identification string |
See also: ssh_server_version
, ssh_auth_successful
, ssh_auth_failed
, ssh_auth_result
, ssh_auth_attempted
, ssh_capabilities
, ssh2_server_host_key
, ssh1_server_host_key
, ssh_server_host_key
, ssh_encrypted_packet
, ssh2_dh_server_params
, ssh2_gss_error
, ssh2_ecc_key
ssh_auth_successful
Type: | event (c: connection , auth_method_none: bool ) |
---|
This event is generated when an SSH connection was determined to have had a successful authentication. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the authentication success, this event is not raised.
C: | The connection over which the SSH connection took place. |
---|---|
Auth_method_none: | |
This is true if the analyzer detected a successful connection before any authentication challenge. The SSH protocol provides a mechanism for unauthenticated access, which some servers support. |
See also: ssh_server_version
, ssh_client_version
, ssh_auth_failed
, ssh_auth_result
, ssh_auth_attempted
, ssh_capabilities
, ssh2_server_host_key
, ssh1_server_host_key
, ssh_server_host_key
, ssh_encrypted_packet
, ssh2_dh_server_params
, ssh2_gss_error
, ssh2_ecc_key
ssh_auth_attempted
Type: | event (c: connection , authenticated: bool ) |
---|
This event is generated when an SSH connection was determined to have had an authentication attempt. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about whether or not an authenication attempt occured, this event is not raised.
At this point in the protocol, all we can determine is whether or not the user is authenticated. We don’t know if the particular attempt succeeded or failed, since some servers require multiple authentications (e.g. require both a password AND a pubkey), and could return an authentication failed message which is marked as a partial success.
This event will often be raised multiple times per connection. In almost all connections, it will be raised once unless
C: | The connection over which the SSH connection took place. |
---|---|
Authenticated: | This is true if the analyzer detected a successful connection from the authentication attempt. |
See also: ssh_server_version
, ssh_client_version
, ssh_auth_successful
, ssh_auth_failed
, ssh_auth_result
, ssh_capabilities
, ssh2_server_host_key
, ssh1_server_host_key
, ssh_server_host_key
, ssh_encrypted_packet
, ssh2_dh_server_params
, ssh2_gss_error
, ssh2_ecc_key
ssh_capabilities
Type: | event (c: connection , cookie: string , capabilities: SSH::Capabilities ) |
---|
During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. This event is generated for each endpoint, when the SSH_MSG_KEXINIT message is seen. See RFC 4253#section-7.1 for details.
C: | The connection over which the SSH connection took place. |
---|---|
Cookie: | The SSH_MSG_KEXINIT cookie - a random value generated by the sender. |
Capabilities: | The list of algorithms and languages that the sender advertises support for, in order of preference. |
See also: ssh_server_version
, ssh_client_version
, ssh_auth_successful
, ssh_auth_failed
, ssh_auth_result
, ssh_auth_attempted
, ssh2_server_host_key
, ssh1_server_host_key
, ssh_server_host_key
, ssh_encrypted_packet
, ssh2_dh_server_params
, ssh2_gss_error
, ssh2_ecc_key
ssh2_server_host_key
Type: | event (c: connection , key: string ) |
---|
During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH2.
C: | The connection over which the SSH connection took place. |
---|---|
Key: | The server’s public host key. Note that this is the public key itself, and not just the fingerprint or hash. |
See also: ssh_server_version
, ssh_client_version
, ssh_auth_successful
, ssh_auth_failed
, ssh_auth_result
, ssh_auth_attempted
, ssh_capabilities
, ssh1_server_host_key
, ssh_server_host_key
, ssh_encrypted_packet
, ssh2_dh_server_params
, ssh2_gss_error
, ssh2_ecc_key
ssh1_server_host_key
Type: | event (c: connection , p: string , e: string ) |
---|
During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1.
C: | The connection over which the SSH connection took place. |
---|---|
P: | The prime for the server’s public host key. |
E: | The exponent for the serer’s public host key. |
See also: ssh_server_version
, ssh_client_version
, ssh_auth_successful
, ssh_auth_failed
, ssh_auth_result
, ssh_auth_attempted
, ssh_capabilities
, ssh2_server_host_key
, ssh_server_host_key
, ssh_encrypted_packet
, ssh2_dh_server_params
, ssh2_gss_error
, ssh2_ecc_key
ssh_encrypted_packet
Type: | event (c: connection , orig: bool , len: count ) |
---|
This event is generated when an SSH
encrypted packet is seen. This event is not handled by default, but
is provided for heuristic analysis scripts. Note that you have to set
SSH::disable_analyzer_after_detection
to false to use this
event. This carries a performance penalty.
C: | The connection over which the SSH connection took place. |
---|---|
Orig: | Whether the packet was sent by the originator of the TCP connection. |
Len: | The length of the SSH payload, in bytes. Note that this ignores reassembly, as this is unknown. |
See also: ssh_server_version
, ssh_client_version
, ssh_auth_successful
, ssh_auth_failed
, ssh_auth_result
, ssh_auth_attempted
, ssh_capabilities
, ssh2_server_host_key
, ssh1_server_host_key
, ssh_server_host_key
, ssh2_dh_server_params
, ssh2_gss_error
, ssh2_ecc_key
ssh2_dh_server_params
Type: | event (c: connection , p: string , q: string ) |
---|
Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method. This event contains the server DH parameters, which are sent in the SSH_MSG_KEY_DH_GEX_GROUP message as defined in RFC 4419#section-3.
C: | The connection. |
---|---|
P: | The DH prime modulus. |
Q: | The DH generator. |
See also: ssh_server_version
, ssh_client_version
, ssh_auth_successful
, ssh_auth_failed
, ssh_auth_result
, ssh_auth_attempted
, ssh_capabilities
, ssh2_server_host_key
, ssh1_server_host_key
, ssh_server_host_key
, ssh_encrypted_packet
, ssh2_gss_error
, ssh2_ecc_key
ssh2_gss_error
Type: | event (c: connection , major_status: count , minor_status: count , err_msg: string ) |
---|
In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details. This event is generated when such an error message is seen. For more information, see RFC 4462#section-2.1.
C: | The connection. |
---|---|
Major_status: | GSS-API major status code. |
Minor_status: | GSS-API minor status code. |
Err_msg: | Detailed human-readable error message |
See also: ssh_server_version
, ssh_client_version
, ssh_auth_successful
, ssh_auth_failed
, ssh_auth_result
, ssh_auth_attempted
, ssh_capabilities
, ssh2_server_host_key
, ssh1_server_host_key
, ssh_server_host_key
, ssh_encrypted_packet
, ssh2_dh_server_params
, ssh2_ecc_key
ssh2_ecc_key
Type: | event (c: connection , is_orig: bool , q: string ) |
---|
The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret. This event is generated when either the client’s or server’s ephemeral public key is seen. For more information, see: RFC 5656#section-4.
C: | The connection |
---|---|
Is_orig: | Did this message come from the originator? |
Q: | The ephemeral public key |
See also: ssh_server_version
, ssh_client_version
, ssh_auth_successful
, ssh_auth_failed
, ssh_auth_result
, ssh_auth_attempted
, ssh_capabilities
, ssh2_server_host_key
, ssh1_server_host_key
, ssh_server_host_key
, ssh_encrypted_packet
, ssh2_dh_server_params
, ssh2_gss_error
SSL/TLS and DTLS analyzers
ssl_client_hello
Type: | event (c: connection , version: count , possible_ts: time , client_random: string , session_id: string , ciphers: index_vec ) |
---|
Generated for an SSL/TLS client’s initial hello message. SSL/TLS sessions start with an unencrypted handshake, and Bro extracts as much information out of that as it can. This event provides access to the initial information sent by the client.
See Wikipedia for more information about the SSL/TLS protocol.
C: | The connection. |
---|---|
Version: | The protocol version as extracted from the client’s message. The
values are standardized as part of the SSL/TLS protocol. The
SSL::version_strings table maps them to descriptive names. |
Possible_ts: | The current time as sent by the client. Note that SSL/TLS does not require clocks to be set correctly, so treat with care. |
Session_id: | The session ID sent by the client (if any). |
Client_random: | The random value sent by the client. For version 2 connections, the client challenge is returned. |
Ciphers: | The list of ciphers the client offered to use. The values are
standardized as part of the SSL/TLS protocol. The
SSL::cipher_desc table maps them to descriptive names. |
See also: ssl_alert
, ssl_established
, ssl_extension
, ssl_server_hello
, ssl_session_ticket_handshake
, x509_certificate
, ssl_handshake_message
, ssl_change_cipher_spec
ssl_server_hello
Type: | event (c: connection , version: count , possible_ts: time , server_random: string , session_id: string , cipher: count , comp_method: count ) |
---|
Generated for an SSL/TLS server’s initial hello message. SSL/TLS sessions start with an unencrypted handshake, and Bro extracts as much information out of that as it can. This event provides access to the initial information sent by the client.
See Wikipedia for more information about the SSL/TLS protocol.
C: | The connection. |
---|---|
Version: | The protocol version as extracted from the server’s message.
The values are standardized as part of the SSL/TLS protocol. The
SSL::version_strings table maps them to descriptive names. |
Possible_ts: | The current time as sent by the server. Note that SSL/TLS does not require clocks to be set correctly, so treat with care. This value is not sent in TLSv1.3. |
Session_id: | The session ID as sent back by the server (if any). This value is not sent in TLSv1.3. |
Server_random: | The random value sent by the server. For version 2 connections, the connection-id is returned. |
Cipher: | The cipher chosen by the server. The values are standardized as part
of the SSL/TLS protocol. The SSL::cipher_desc table maps
them to descriptive names. |
Comp_method: | The compression method chosen by the client. The values are standardized as part of the SSL/TLS protocol. This value is not sent in TLSv1.3. |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_extension
, ssl_session_ticket_handshake
, x509_certificate
, ssl_server_curve
, ssl_dh_server_params
, ssl_handshake_message
, ssl_change_cipher_spec
ssl_extension
Type: | event (c: connection , is_orig: bool , code: count , val: string ) |
---|
Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS sessions start with an unencrypted handshake, and Bro extracts as much information out of that as it can. This event provides access to any extensions either side sends as part of an extended hello message.
Note that Bro offers more specialized events for a few extensions.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Code: | The numerical code of the extension. The values are standardized as
part of the SSL/TLS protocol. The SSL::extensions table maps
them to descriptive names. |
Val: | The raw extension value that was sent in the message. |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_server_hello
, ssl_session_ticket_handshake
, ssl_extension_ec_point_formats
, ssl_extension_elliptic_curves
, ssl_extension_application_layer_protocol_negotiation
, ssl_extension_server_name
, ssl_extension_signature_algorithm
, ssl_extension_key_share
, ssl_extension_psk_key_exchange_modes
, ssl_extension_supported_versions
ssl_extension_elliptic_curves
Type: | event (c: connection , is_orig: bool , curves: index_vec ) |
---|
Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is defined in RFC 4492 and sent by the client in the initial handshake. It gives the list of elliptic curves supported by the client.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Curves: | List of supported elliptic curves. |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_server_hello
, ssl_session_ticket_handshake
, ssl_extension
, ssl_extension_ec_point_formats
, ssl_extension_application_layer_protocol_negotiation
, ssl_extension_server_name
, ssl_server_curve
, ssl_extension_signature_algorithm
, ssl_extension_key_share
, ssl_extension_psk_key_exchange_modes
, ssl_extension_supported_versions
ssl_extension_ec_point_formats
Type: | event (c: connection , is_orig: bool , point_formats: index_vec ) |
---|
Generated for an SSL/TLS Supported Point Formats extension. This TLS extension is defined in RFC 4492 and sent by the client and/or server in the initial handshake. It gives the list of elliptic curve point formats supported by the client.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Point_formats: | List of supported point formats. |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_server_hello
, ssl_session_ticket_handshake
, ssl_extension
, ssl_extension_elliptic_curves
, ssl_extension_application_layer_protocol_negotiation
, ssl_extension_server_name
, ssl_server_curve
, ssl_extension_signature_algorithm
, ssl_extension_key_share
, ssl_extension_psk_key_exchange_modes
, ssl_extension_supported_versions
ssl_extension_signature_algorithm
Type: | event (c: connection , is_orig: bool , signature_algorithms: signature_and_hashalgorithm_vec ) |
---|
Generated for an Signature Algorithms extension. This TLS extension is defined in RFC 5246 and sent by the client in the initial handshake. It gives the list of signature and hash algorithms supported by the client.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Signature_algorithms: | |
List of supported signature and hash algorithm pairs. |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_server_hello
, ssl_session_ticket_handshake
, ssl_extension
, ssl_extension_elliptic_curves
, ssl_extension_application_layer_protocol_negotiation
, ssl_extension_server_name
, ssl_server_curve
, ssl_extension_key_share
, ssl_extension_psk_key_exchange_modes
, ssl_extension_supported_versions
Type: | event (c: connection , is_orig: bool , curves: index_vec ) |
---|
Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16 and sent by the client and the server in the initial handshake. It gives the list of named groups supported by the client and chosen by the server.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Curves: | List of supported/chosen named groups. |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_server_hello
, ssl_session_ticket_handshake
, ssl_extension
, ssl_extension_elliptic_curves
, ssl_extension_application_layer_protocol_negotiation
, ssl_extension_server_name
, ssl_server_curve
, ssl_extension_psk_key_exchange_modes
, ssl_extension_supported_versions
ssl_server_curve
Type: | event (c: connection , curve: count ) |
---|
Generated if a named curve is chosen by the server for an SSL/TLS connection. The curve is sent by the server in the ServerKeyExchange message as defined in RFC 4492, in case an ECDH or ECDHE cipher suite is chosen.
C: | The connection. |
---|---|
Curve: | The curve. |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_server_hello
, ssl_session_ticket_handshake
, ssl_extension
, ssl_extension_elliptic_curves
, ssl_extension_application_layer_protocol_negotiation
, ssl_extension_server_name
, ssl_extension_key_share
, ssl_extension_psk_key_exchange_modes
, ssl_extension_supported_versions
ssl_dh_server_params
Type: | event (c: connection , p: string , q: string , Ys: string ) |
---|
Generated if a server uses a DH-anon or DHE cipher suite. This event contains the server DH parameters, which are sent in the ServerKeyExchange message as defined in RFC 5246.
C: | The connection. |
---|---|
P: | The DH prime modulus. |
Q: | The DH generator. |
Ys: | The server’s DH public key. |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_server_hello
, ssl_session_ticket_handshake
, ssl_server_curve
ssl_extension_application_layer_protocol_negotiation
Type: | event (c: connection , is_orig: bool , protocols: string_vec ) |
---|
Generated for an SSL/TLS Application-Layer Protocol Negotiation extension. This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in the initial handshake. It contains the list of client supported application protocols by the client or the server, respectively.
At the moment it is mostly used to negotiate the use of SPDY / HTTP2-drafts.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Protocols: | List of supported application layer protocols. |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_server_hello
, ssl_session_ticket_handshake
, ssl_extension
, ssl_extension_elliptic_curves
, ssl_extension_ec_point_formats
, ssl_extension_server_name
, ssl_extension_key_share
, ssl_extension_psk_key_exchange_modes
, ssl_extension_supported_versions
ssl_extension_server_name
Type: | event (c: connection , is_orig: bool , names: string_vec ) |
---|
Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is defined in RFC 3546 and sent by the client in the initial handshake. It contains the name of the server it is contacting. This information can be used by the server to choose the correct certificate for the host the client wants to contact.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Names: | A list of server names (DNS hostnames). |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_server_hello
, ssl_session_ticket_handshake
, ssl_extension
, ssl_extension_elliptic_curves
, ssl_extension_ec_point_formats
, ssl_extension_application_layer_protocol_negotiation
, ssl_extension_key_share
, ssl_extension_psk_key_exchange_modes
, ssl_extension_supported_versions
ssl_extension_supported_versions
Type: | event (c: connection , is_orig: bool , versions: index_vec ) |
---|
Generated for an TLS Supported Versions extension. This TLS extension is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the TLS versions that it supports. This informaion can be used by the server to choose the best TLS version o use.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Versions: | List of supported TLS versions. |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_server_hello
, ssl_session_ticket_handshake
, ssl_extension
, ssl_extension_elliptic_curves
, ssl_extension_ec_point_formats
, ssl_extension_application_layer_protocol_negotiation
, ssl_extension_key_share
, ssl_extension_server_name
, ssl_extension_psk_key_exchange_modes
ssl_extension_psk_key_exchange_modes
Type: | event (c: connection , is_orig: bool , modes: index_vec ) |
---|
Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the list of Pre-Shared Key Exchange Modes that it supports.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Versions: | List of supported Pre-Shared Key Exchange Modes. |
See also: ssl_alert
, ssl_client_hello
, ssl_established
, ssl_server_hello
, ssl_session_ticket_handshake
, ssl_extension
, ssl_extension_elliptic_curves
, ssl_extension_ec_point_formats
, ssl_extension_application_layer_protocol_negotiation
, ssl_extension_key_share
, ssl_extension_server_name
, ssl_extension_supported_versions
ssl_established
Type: | event (c: connection ) |
---|
Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with an unencrypted handshake, and Bro extracts as much information out of that as it can. This event signals the time when an SSL/TLS has finished the handshake and its endpoints consider it as fully established. Typically, everything from now on will be encrypted.
See Wikipedia for more information about the SSL/TLS protocol.
C: | The connection. |
---|
See also: ssl_alert
, ssl_client_hello
, ssl_extension
, ssl_server_hello
, ssl_session_ticket_handshake
, x509_certificate
ssl_alert
Type: | event (c: connection , is_orig: bool , level: count , desc: count ) |
---|
Generated for SSL/TLS alert records. SSL/TLS sessions start with an unencrypted handshake, and Bro extracts as much information out of that as it can. If during that handshake, an endpoint encounters a fatal error, it sends an alert record, that in turn triggers this event. After an alert, any endpoint may close the connection immediately.
See Wikipedia for more information about the SSL/TLS protocol.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Level: | The severity level, as sent in the alert. The values are defined as part of the SSL/TLS protocol. |
Desc: | A numerical value identifying the cause of the alert. The values are defined as part of the SSL/TLS protocol. |
See also: ssl_client_hello
, ssl_established
, ssl_extension
, ssl_server_hello
, ssl_session_ticket_handshake
ssl_session_ticket_handshake
Type: | event (c: connection , ticket_lifetime_hint: count , ticket: string ) |
---|
Generated for SSL/TLS handshake messages that are a part of the stateless-server session resumption mechanism. SSL/TLS sessions start with an unencrypted handshake, and Bro extracts as much information out of that as it can. This event is raised when an SSL/TLS server passes a session ticket to the client that can later be used for resuming the session. The mechanism is described in RFC 4507.
See Wikipedia for more information about the SSL/TLS protocol.
C: | The connection. |
---|---|
Ticket_lifetime_hint: | |
A hint from the server about how long the ticket should be stored by the client. | |
Ticket: | The raw ticket data. |
See also: ssl_client_hello
, ssl_established
, ssl_extension
, ssl_server_hello
, ssl_alert
ssl_heartbeat
Type: | event (c: connection , is_orig: bool , length: count , heartbeat_type: count , payload_length: count , payload: string ) |
---|
Generated for SSL/TLS heartbeat messages that are sent before session encryption starts. Generally heartbeat messages should rarely be seen in normal TLS traffic. Heartbeats are described in RFC 6520.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Length: | length of the entire heartbeat message. |
Heartbeat_type: | type of the heartbeat message. Per RFC, 1 = request, 2 = response. |
Payload_length: | length of the payload of the heartbeat message, according to packet field. |
Payload: | payload contained in the heartbeat message. Size can differ from payload_length, if payload_length and actual packet length disagree. |
See also: ssl_client_hello
, ssl_established
, ssl_extension
, ssl_server_hello
, ssl_alert
, ssl_encrypted_data
ssl_application_data
Type: | event (c: connection , is_orig: bool , length: count ) |
---|
Generated for non-handshake SSL/TLS application_data messages that are sent before full encryption starts. For TLS 1.2 and lower, this event should not be raised. For TLS 1.3, it is used by Bro internally to determine if the connection has been completely setup. This is necessary as TLS 1.3 does not have CCS anymore.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Content_type: | message type as reported by TLS session layer. |
Length: | length of the entire heartbeat message. |
See also: ssl_client_hello
, ssl_established
, ssl_extension
, ssl_server_hello
, ssl_alert
, ssl_heartbeat
ssl_encrypted_data
Type: | event (c: connection , is_orig: bool , content_type: count , length: count ) |
---|
Generated for SSL/TLS messages that are sent after session encryption started.
Note that SSL::disable_analyzer_after_detection
has to be changed
from its default to false for this event to be generated.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Content_type: | message type as reported by TLS session layer. |
Length: | length of the entire heartbeat message. |
See also: ssl_client_hello
, ssl_established
, ssl_extension
, ssl_server_hello
, ssl_alert
, ssl_heartbeat
ssl_stapled_ocsp
Type: | event (c: connection , is_orig: bool , response: string ) |
---|
This event contains the OCSP response contained in a Certificate Status Request message, when the client requested OCSP stapling and the server supports it. See description in RFC 6066.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Response: | OCSP data. |
ssl_handshake_message
Type: | event (c: connection , is_orig: bool , msg_type: count , length: count ) |
---|
This event is raised for each unencrypted SSL/TLS handshake message.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
Msg_type: | Type of the handshake message that was seen. |
Length: | Length of the handshake message that was seen. |
See also: ssl_alert
, ssl_established
, ssl_extension
, ssl_server_hello
, ssl_session_ticket_handshake
, x509_certificate
, ssl_client_hello
, ssl_change_cipher_spec
ssl_change_cipher_spec
Type: | event (c: connection , is_orig: bool ) |
---|
This event is raised when a SSL/TLS ChangeCipherSpec message is encountered before encryption begins. Traffic will be encrypted following this message.
C: | The connection. |
---|---|
Is_orig: | True if event is raised for originator side of the connection. |
See also: ssl_alert
, ssl_established
, ssl_extension
, ssl_server_hello
, ssl_session_ticket_handshake
, x509_certificate
, ssl_client_hello
, ssl_handshake_message
set_ssl_established
Type: | function (c: connection ) : any |
---|
Sets if the SSL analyzer should consider the connection established (handshake finished succesfully).
C: | The SSL connection. |
---|
Stepping stone analyzer
stp_create_endp
Type: | event (c: connection , e: int , is_orig: bool ) |
---|
Deprecated. Will be removed.
Syslog analyzer UDP-only
syslog_message
Type: | event (c: connection , facility: count , severity: count , msg: string ) |
---|
Generated for monitored Syslog messages.
See Wikipedia for more information about the Syslog protocol.
C: | The connection record for the underlying transport-layer session/flow. |
---|---|
Facility: | The “facility” included in the message. |
Severity: | The “severity” included in the message. |
Msg: | The message logged. |
Note
Bro currently parses only UDP syslog traffic. Support for TCP syslog will be added soon.
TCP analyzer
new_connection_contents
Type: | event (c: connection ) |
---|
Generated when reassembly starts for a TCP connection. This event is raised at the moment when Bro’s TCP analyzer enables stream reassembly for a connection.
C: | The connection. |
---|
See also: connection_EOF
, connection_SYN_packet
, connection_attempt
, connection_established
, connection_external
, connection_finished
, connection_first_ACK
, connection_half_finished
, connection_partial_close
, connection_pending
, connection_rejected
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, partial_connection
connection_attempt
Type: | event (c: connection ) |
---|
Generated for an unsuccessful connection attempt. This event is raised when
an originator unsuccessfully attempted to establish a connection.
“Unsuccessful” is defined as at least tcp_attempt_delay
seconds
having elapsed since the originator first sent a connection establishment
packet to the destination without seeing a reply.
C: | The connection. |
---|
See also: connection_EOF
, connection_SYN_packet
, connection_established
, connection_external
, connection_finished
, connection_first_ACK
, connection_half_finished
, connection_partial_close
, connection_pending
, connection_rejected
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
, partial_connection
connection_established
Type: | event (c: connection ) |
---|
Generated when seeing a SYN-ACK packet from the responder in a TCP
handshake. An associated SYN packet was not seen from the originator
side if its state is not set to TCP_ESTABLISHED
.
The final ACK of the handshake in response to SYN-ACK may
or may not occur later, one way to tell is to check the history field of
connection
to see if the originator sent an ACK, indicated by
‘A’ in the history string.
C: | The connection. |
---|
See also: connection_EOF
, connection_SYN_packet
, connection_attempt
, connection_external
, connection_finished
, connection_first_ACK
, connection_half_finished
, connection_partial_close
, connection_pending
, connection_rejected
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
, partial_connection
partial_connection
Type: | event (c: connection ) |
---|
Generated for a new active TCP connection if Bro did not see the initial handshake. This event is raised when Bro has observed traffic from each endpoint, but the activity did not begin with the usual connection establishment.
C: | The connection. |
---|
See also: connection_EOF
, connection_SYN_packet
, connection_attempt
, connection_established
, connection_external
, connection_finished
, connection_first_ACK
, connection_half_finished
, connection_partial_close
, connection_pending
, connection_rejected
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
connection_partial_close
Type: | event (c: connection ) |
---|
Generated when a previously inactive endpoint attempts to close a TCP
connection via a normal FIN handshake or an abort RST sequence. When the
endpoint sent one of these packets, Bro waits
tcp_partial_close_delay
prior to generating the event, to give
the other endpoint a chance to close the connection normally.
C: | The connection. |
---|
See also: connection_EOF
, connection_SYN_packet
, connection_attempt
, connection_established
, connection_external
, connection_finished
, connection_first_ACK
, connection_half_finished
, connection_pending
, connection_rejected
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
, partial_connection
connection_finished
Type: | event (c: connection ) |
---|
Generated for a TCP connection that finished normally. The event is raised when a regular FIN handshake from both endpoints was observed.
C: | The connection. |
---|
See also: connection_EOF
, connection_SYN_packet
, connection_attempt
, connection_established
, connection_external
, connection_first_ACK
, connection_half_finished
, connection_partial_close
, connection_pending
, connection_rejected
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
, partial_connection
connection_half_finished
Type: | event (c: connection ) |
---|
Generated when one endpoint of a TCP connection attempted to gracefully close the connection, but the other endpoint is in the TCP_INACTIVE state. This can happen due to split routing, in which Bro only sees one side of a connection.
C: | The connection. |
---|
See also: connection_EOF
, connection_SYN_packet
, connection_attempt
, connection_established
, connection_external
, connection_finished
, connection_first_ACK
, connection_partial_close
, connection_pending
, connection_rejected
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
, partial_connection
connection_rejected
Type: | event (c: connection ) |
---|
Generated for a rejected TCP connection. This event is raised when an originator attempted to setup a TCP connection but the responder replied with a RST packet denying it.
C: | The connection. |
---|
See also: connection_EOF
, connection_SYN_packet
, connection_attempt
, connection_established
, connection_external
, connection_finished
, connection_first_ACK
, connection_half_finished
, connection_partial_close
, connection_pending
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
, partial_connection
Note
If the responder does not respond at all, connection_attempt
is
raised instead. If the responder initially accepts the connection but
aborts it later, Bro first generates connection_established
and then connection_reset
.
connection_reset
Type: | event (c: connection ) |
---|
Generated when an endpoint aborted a TCP connection. The event is raised when one endpoint of an established TCP connection aborted by sending a RST packet.
C: | The connection. |
---|
See also: connection_EOF
, connection_SYN_packet
, connection_attempt
, connection_established
, connection_external
, connection_finished
, connection_first_ACK
, connection_half_finished
, connection_partial_close
, connection_pending
, connection_rejected
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
, partial_connection
connection_pending
Type: | event (c: connection ) |
---|
Generated for each still-open TCP connection when Bro terminates.
C: | The connection. |
---|
See also: connection_EOF
, connection_SYN_packet
, connection_attempt
, connection_established
, connection_external
, connection_finished
, connection_first_ACK
, connection_half_finished
, connection_partial_close
, connection_rejected
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
, partial_connection
, bro_done
connection_SYN_packet
Type: | event (c: connection , pkt: SYN_packet ) |
---|
Generated for a SYN packet. Bro raises this event for every SYN packet seen by its TCP analyzer.
C: | The connection. |
---|---|
Pkt: | Information extracted from the SYN packet. |
See also: connection_EOF
, connection_attempt
, connection_established
, connection_external
, connection_finished
, connection_first_ACK
, connection_half_finished
, connection_partial_close
, connection_pending
, connection_rejected
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
, partial_connection
Note
This event has quite low-level semantics and can potentially be expensive
to generate. It should only be used if one really needs the specific
information passed into the handler via the pkt
argument. If not,
handling one of the other connection_*
events is typically the
better approach.
connection_first_ACK
Type: | event (c: connection ) |
---|
Generated for the first ACK packet seen for a TCP connection from its originator.
C: | The connection. |
---|
See also: connection_EOF
, connection_SYN_packet
, connection_attempt
, connection_established
, connection_external
, connection_finished
, connection_half_finished
, connection_partial_close
, connection_pending
, connection_rejected
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
, partial_connection
Note
This event has quite low-level semantics and should be used only rarely.
connection_EOF
Type: | event (c: connection , is_orig: bool ) |
---|
Generated at the end of reassembled TCP connections. The TCP reassembler raised the event once for each endpoint of a connection when it finished reassembling the corresponding side of the communication.
C: | The connection. |
---|---|
Is_orig: | True if the event is raised for the originator side. |
See also: connection_SYN_packet
, connection_attempt
, connection_established
, connection_external
, connection_finished
, connection_first_ACK
, connection_half_finished
, connection_partial_close
, connection_pending
, connection_rejected
, connection_reset
, connection_reused
, connection_state_remove
, connection_status_update
, connection_timeout
, scheduled_analyzer_applied
, new_connection
, new_connection_contents
, partial_connection
tcp_packet
Type: | event (c: connection , is_orig: bool , flags: string , seq: count , ack: count , len: count , payload: string ) |
---|
Generated for every TCP packet. This is a very low-level and expensive event
that should be avoided when at all possible. It’s usually infeasible to
handle when processing even medium volumes of traffic in real-time. It’s
slightly better than new_packet
because it affects only TCP, but
not much. That said, if you work from a trace and want to do some
packet-level analysis, it may come in handy.
C: | The connection the packet is part of. |
---|---|
Is_orig: | True if the packet was sent by the connection’s originator. |
Flags: | A string with the packet’s TCP flags. In the string, each character
corresponds to one set flag, as follows: S -> SYN; F -> FIN;
R -> RST; A -> ACK; P -> PUSH. |
Seq: | The packet’s relative TCP sequence number. |
Ack: | If the ACK flag is set for the packet, the packet’s relative ACK number, else zero. |
Len: | The length of the TCP payload, as specified in the packet header. |
Payload: | The raw TCP payload. Note that this may be shorter than len if the packet was not fully captured. |
See also: new_packet
, packet_contents
, tcp_option
, tcp_contents
, tcp_rexmit
tcp_option
Type: | event (c: connection , is_orig: bool , opt: count , optlen: count ) |
---|
Generated for each option found in a TCP header. Like many of the tcp_*
events, this is a very low-level event and potentially expensive as it may
be raised very often.
C: | The connection the packet is part of. |
---|---|
Is_orig: | True if the packet was sent by the connection’s originator. |
Opt: | The numerical option number, as found in the TCP header. |
Optlen: | The length of the options value. |
See also: tcp_packet
, tcp_contents
, tcp_rexmit
Note
There is currently no way to get the actual option value, if any.
tcp_contents
Type: | event (c: connection , is_orig: bool , seq: count , contents: string ) |
---|
Generated for each chunk of reassembled TCP payload. When content delivery is
enabled for a TCP connection (via tcp_content_delivery_ports_orig
,
tcp_content_delivery_ports_resp
,
tcp_content_deliver_all_orig
,
tcp_content_deliver_all_resp
), this event is raised for each chunk
of in-order payload reconstructed from the packet stream. Note that this
event is potentially expensive if many connections carry significant amounts
of data as then all that data needs to be passed on to the scripting layer.
C: | The connection the payload is part of. |
---|---|
Is_orig: | True if the packet was sent by the connection’s originator. |
Seq: | The sequence number corresponding to the first byte of the payload chunk. |
Contents: | The raw payload, which will be non-empty. |
See also: tcp_packet
, tcp_option
, tcp_rexmit
, tcp_content_delivery_ports_orig
, tcp_content_delivery_ports_resp
, tcp_content_deliver_all_resp
, tcp_content_deliver_all_orig
Note
The payload received by this event is the same that is also passed into application-layer protocol analyzers internally. Subsequent invocations of this event for the same connection receive non-overlapping in-order chunks of its TCP payload stream. It is however undefined what size each chunk has; while Bro passes the data on as soon as possible, specifics depend on network-level effects such as latency, acknowledgements, reordering, etc.
tcp_rexmit
Type: | event (c: connection , is_orig: bool , seq: count , len: count , data_in_flight: count , window: count ) |
---|
TODO.
contents_file_write_failure
Type: | event (c: connection , is_orig: bool , msg: string ) |
---|
Generated when failing to write contents of a TCP stream to a file.
C: | The connection whose contents are being recorded. |
---|---|
Is_orig: | Which side of the connection encountered a failure to write. |
Msg: | A reason or description for the failure. |
See also: set_contents_file
, get_contents_file
get_orig_seq
Type: | function (cid: conn_id ) : count |
---|
Get the originator sequence number of a TCP connection. Sequence numbers are absolute (i.e., they reflect the values seen directly in packet headers; they are not relative to the beginning of the connection).
Cid: | The connection ID. |
---|---|
Returns: | The highest sequence number sent by a connection’s originator, or 0 if cid does not point to an active TCP connection. |
See also: get_resp_seq
get_resp_seq
Type: | function (cid: conn_id ) : count |
---|
Get the responder sequence number of a TCP connection. Sequence numbers are absolute (i.e., they reflect the values seen directly in packet headers; they are not relative to the beginning of the connection).
Cid: | The connection ID. |
---|---|
Returns: | The highest sequence number sent by a connection’s responder, or 0 if cid does not point to an active TCP connection. |
See also: get_orig_seq
set_contents_file
Type: | function (cid: conn_id , direction: count , f: file ) : bool |
---|
Associates a file handle with a connection for writing TCP byte stream contents.
Cid: | The connection ID. |
---|---|
Direction: | Controls what sides of the connection to record. The argument can take one of the four values:
|
F: | The file handle of the file to write the contents to. |
Returns: | Returns false if cid does not point to an active connection, and true otherwise. |
Note
The data recorded to the file reflects the byte stream, not the
contents of individual packets. Reordering and duplicates are
removed. If any data is missing, the recording stops at the
missing data; this can happen, e.g., due to an
content_gap
event.
See also: get_contents_file
, set_record_packets
, contents_file_write_failure
get_contents_file
Type: | function (cid: conn_id , direction: count ) : file |
---|
Returns the file handle of the contents file of a connection.
Cid: | The connection ID. |
---|---|
Direction: | Controls what sides of the connection to record. See
set_contents_file for possible values. |
Returns: | The file handle for the contents file of the
connection identified by cid. If the connection exists
but there is no contents file for direction, then the function
generates an error and returns a file handle to stderr . |
See also: set_contents_file
, set_record_packets
, contents_file_write_failure
Teredo analyzer
teredo_packet
Type: | event (outer: connection , inner: teredo_hdr ) |
---|
Generated for any IPv6 packet encapsulated in a Teredo tunnel. See RFC 4380 for more information about the Teredo protocol.
Outer: | The Teredo tunnel connection. |
---|---|
Inner: | The Teredo-encapsulated IPv6 packet header and transport header. |
See also: teredo_authentication
, teredo_origin_indication
, teredo_bubble
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
teredo_authentication
Type: | event (outer: connection , inner: teredo_hdr ) |
---|
Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo authentication encapsulation method. See RFC 4380 for more information about the Teredo protocol.
Outer: | The Teredo tunnel connection. |
---|---|
Inner: | The Teredo-encapsulated IPv6 packet header and transport header. |
See also: teredo_packet
, teredo_origin_indication
, teredo_bubble
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
teredo_origin_indication
Type: | event (outer: connection , inner: teredo_hdr ) |
---|
Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo origin indication encapsulation method. See RFC 4380 for more information about the Teredo protocol.
Outer: | The Teredo tunnel connection. |
---|---|
Inner: | The Teredo-encapsulated IPv6 packet header and transport header. |
See also: teredo_packet
, teredo_authentication
, teredo_bubble
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
teredo_bubble
Type: | event (outer: connection , inner: teredo_hdr ) |
---|
Generated for Teredo bubble packets. That is, IPv6 packets encapsulated
in a Teredo tunnel that have a Next Header value of IPPROTO_NONE
.
See RFC 4380 for more information about the Teredo protocol.
Outer: | The Teredo tunnel connection. |
---|---|
Inner: | The Teredo-encapsulated IPv6 packet header and transport header. |
See also: teredo_packet
, teredo_authentication
, teredo_origin_indication
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
UDP Analyzer
udp_request
Type: | event (u: connection ) |
---|
Generated for each packet sent by a UDP flow’s originator. This a potentially expensive event due to the volume of UDP traffic and should be used with care.
U: | The connection record for the corresponding UDP flow. |
---|
See also: udp_contents
, udp_reply
, udp_session_done
udp_reply
Type: | event (u: connection ) |
---|
Generated for each packet sent by a UDP flow’s responder. This a potentially expensive event due to the volume of UDP traffic and should be used with care.
U: | The connection record for the corresponding UDP flow. |
---|
See also: udp_contents
, udp_request
, udp_session_done
udp_contents
Type: | event (u: connection , is_orig: bool , contents: string ) |
---|
Generated for UDP packets to pass on their payload. As the number of UDP
packets can be very large, this event is normally raised only for those on
ports configured in udp_content_delivery_ports_orig
(for packets
sent by the flow’s originator) or udp_content_delivery_ports_resp
(for packets sent by the flow’s responder). However, delivery can be enabled
for all UDP request and reply packets by setting
udp_content_deliver_all_orig
or
udp_content_deliver_all_resp
, respectively. Note that this
event is also raised for all matching UDP packets, including empty ones.
U: | The connection record for the corresponding UDP flow. |
---|---|
Is_orig: | True if the event is raised for the originator side. |
Contents: | TODO. |
See also: udp_reply
, udp_request
, udp_session_done
, udp_content_deliver_all_orig
, udp_content_deliver_all_resp
, udp_content_delivery_ports_orig
, udp_content_delivery_ports_resp
XMPP analyzer (StartTLS only)
xmpp_starttls
Type: | event (c: connection ) |
---|
Generated when a XMPP connection goes encrypted after a successful StartTLS exchange between the client and the server.
C: | The connection. |
---|