base/bif/event.bif.bro

GLOBAL

The protocol-independent events that the C/C++ core of Bro can generate.

This is mostly events not related to a specific transport- or application-layer protocol, but also includes a few that may be generated by more than one protocols analyzer (like events generated by both UDP and TCP analysis.)

Namespace:	GLOBAL
Source File:	`/scripts/base/bif/event.bif.bro`

Summary

Events

`OS_version_found`: `event`	Generated when an operating system has been fingerprinted.
`anonymization_mapping`: `event`	Deprecated.
`bro_done`: `event`	Generated at Bro termination time.
`bro_init`: `event`	Generated at Bro initialization time.
`bro_script_loaded`: `event`	Raised for each policy script loaded by the script interpreter.
`conn_stats`: `event`	Generated when a TCP connection terminated, passing on statistics about the two endpoints.
`conn_weird`: `event`	Generated for unexpected activity related to a specific connection.
`connection_external`: `event`	Generated for a new connection received from the communication subsystem.
`connection_flow_label_changed`: `event`	Generated for a connection over IPv6 when one direction has changed the flow label that it’s using.
`connection_reused`: `event`	Generated when a connection 4-tuple is reused.
`connection_state_remove`: `event`	Generated when a connection’s internal state is about to be removed from memory.
`connection_status_update`: `event`	Generated in regular intervals during the lifetime of a connection.
`connection_timeout`: `event`	Generated when a TCP connection timed out.
`content_gap`: `event`	Generated when Bro detects a gap in a reassembled TCP payload stream.
`dns_mapping_altered`: `event`	Generated when an internal DNS lookup produced a different result than in the past.
`dns_mapping_lost_name`: `event`	Generated when an internal DNS lookup returned zero answers even though it had succeeded in the past.
`dns_mapping_new_name`: `event`	Generated when an internal DNS lookup succeeded but an earlier attempt did not.
`dns_mapping_unverified`: `event`	Generated when an internal DNS lookup got no answer even though it had succeeded in the past.
`dns_mapping_valid`: `event`	Generated when an internal DNS lookup produces the same result as last time.
`esp_packet`: `event`	Generated for any packets using the IPv6 Encapsulating Security Payload (ESP) extension header.
`event_queue_flush_point`: `event`	Marks a point in the event stream at which the event queue started flushing.
`file_gap`: `event`	Indicates that a chunk of the file is missing.
`file_new`: `event`	Indicates that an analysis of a new file has begun.
`file_opened`: `event`	Generated each time Bro’s script interpreter opens a file.
`file_over_new_connection`: `event`	Indicates that a file has been seen being transferred over a connection different from the original.
`file_reassembly_overflow`: `event`	Indicates that the file had an overflow of the reassembly buffer.
`file_sniff`: `event`	Provide all metadata that has been inferred about a particular file from inspection of the initial content that been seen at the beginning of the file.
`file_state_remove`: `event`	This event is generated each time file analysis is ending for a given file.
`file_timeout`: `event`	Indicates that file analysis has timed out because no activity was seen for the file in a while.
`finished_send_state`: `event`	Generated after a call to `send_state` when all data has been successfully sent to the remote side.
`flow_weird`: `event`	Generated for unexpected activity related to a pair of hosts, but independent of a specific connection.
`gaobot_signature_found`: `event`	Deprecated.
`get_file_handle`: `event`	This event is handled to provide feedback to the file analysis framework about how to identify the logical “file” to which some data/input belongs.
`ipv6_ext_headers`: `event`	Generated for every IPv6 packet that contains extension headers.
`kazaa_signature_found`: `event`	Deprecated.
`load_sample`: `event`	Generated regularly for the purpose of profiling Bro’s processing.
`mobile_ipv6_message`: `event`	Generated for any packet using a Mobile IPv6 Mobility Header.
`napster_signature_found`: `event`	Deprecated.
`net_weird`: `event`	Generated for unexpected activity that is not tied to a specific connection or pair of hosts.
`new_connection`: `event`	Generated for every new connection.
`new_event`: `event`	A meta event generated for events that Bro raises.
`new_packet`: `event`	Generated for all packets that make it into Bro’s connection processing.
`packet_contents`: `event`	Generated for every packet that has a non-empty transport-layer payload.
`print_hook`: `event`	Deprecated.
`profiling_update`: `event`	Generated each time Bro’s internal profiling log is updated.
`protocol_confirmation`: `event`	Generated when a protocol analyzer confirms that a connection is indeed using that protocol.
`protocol_violation`: `event`	Generated when a protocol analyzer determines that a connection it is parsing is not conforming to the protocol it expects.
`raw_packet`: `event`	Generated for every packet Bro sees that have a valid link-layer header.
`remote_capture_filter`: `event`	Generated when a remote peer sent us a capture filter.
`remote_connection_closed`: `event`	Generated when a connection to a remote Bro has been closed.
`remote_connection_error`: `event`	Generated when a connection to a remote Bro encountered an error.
`remote_connection_established`: `event`	Generated when a connection to a remote Bro has been established.
`remote_connection_handshake_done`: `event`	Generated when a remote connection’s initial handshake has been completed.
`remote_event_registered`: `event`	Generated for each event registered by a remote peer.
`remote_log`: `event`	Generated for communication log messages.
`remote_log_peer`: `event`	Generated for communication log messages.
`remote_pong`: `event`	Generated when a remote peer has answered to our ping.
`remote_state_access_performed`: `event`	Generated each time a remote state access has been replayed locally.
`remote_state_inconsistency`: `event`	Generated if state synchronization detects an inconsistency.
`reporter_error`: `event` `&error_handler`	Raised for errors reported via Bro’s reporter framework.
`reporter_info`: `event` `&error_handler`	Raised for informational messages reported via Bro’s reporter framework.
`reporter_warning`: `event` `&error_handler`	Raised for warnings reported via Bro’s reporter framework.
`rexmit_inconsistency`: `event`	Generated when Bro detects a TCP retransmission inconsistency.
`root_backdoor_signature_found`: `event`	Deprecated.
`rotate_interval`: `event`	Deprecated.
`rotate_size`: `event`	Deprecated.
`scheduled_analyzer_applied`: `event`	Generated when a connection is seen that is marked as being expected.
`signature_match`: `event`	Generated when a signature matches.
`software_parse_error`: `event`	Generated when a protocol analyzer finds an identification of a software used on a system but cannot parse it.
`software_unparsed_version_found`: `event`	Generated when a protocol analyzer finds an identification of a software used on a system.
`software_version_found`: `event`	Generated when a protocol analyzer finds an identification of a software used on a system.
`tunnel_changed`: `event`	Generated for a connection whose tunneling has changed.
`udp_session_done`: `event`	Generated when a UDP session for a supported protocol has finished.

Detailed Interface

Events

OS_version_found

Type:	`event` (c: `connection`, host: `addr`, OS: `OS_version`)

Generated when an operating system has been fingerprinted. Bro uses p0f to fingerprint endpoints passively, and it raises this event for each system identified. The p0f fingerprints are defined by passive_fingerprint_file.

C:	The connection.
Host:	The host running the reported OS.
OS:	The OS version string.

anonymization_mapping

Type:	`event` (orig: `addr`, mapped: `addr`)

Deprecated. Will be removed.

bro_done

Type:	`event` ()

Generated at Bro termination time. The event engine generates this event when Bro is about to terminate, either due to having exhausted reading its input trace file(s), receiving a termination signal, or because Bro was run without a network input source and has finished executing any global statements.

Type:	`event` (path: `string`, level: `count`)

Path:	The full path to the script loaded.
Level:	The “nesting level”: zero for a top-level Bro script and incremented recursively for each `@load`.

Type:	`event` (c: `connection`, os: `endpoint_stats`, rs: `endpoint_stats`)

Type:	`event` (name: `string`, c: `connection`, addl: `string`)

See also: flow_weird, net_weird

Note

“Weird” activity is much more common in real-world network traffic than one would intuitively expect. While in principle, any protocol violation could be an attack attempt, it’s much more likely that an endpoint’s implementation interprets an RFC quite liberally.

connection_external

Type:	`event` (c: `connection`, tag: `string`)

Generated for a new connection received from the communication subsystem. Remote peers can inject packets into Bro’s packet loop, for example via Broccoli. The communication system raises this event with the first packet of a connection coming in this way.

C:	The connection.
Tag:	TODO.

connection_flow_label_changed

Type:	`event` (c: `connection`, is_orig: `bool`, old_label: `count`, new_label: `count`)

Generated for a connection over IPv6 when one direction has changed the flow label that it’s using.

C:	The connection.
Is_orig:	True if the event is raised for the originator side.
Old_label:	The old flow label that the endpoint was using.
New_label:	The new flow label that the endpoint is using.

connection_reused

Type:	`event` (c: `connection`)

Generated when a connection 4-tuple is reused. This event is raised when Bro sees a new TCP session or UDP flow using a 4-tuple matching that of an earlier connection it still considers active.

C:	The connection.

connection_state_remove

Type:	`event` (c: `connection`)

Generated when a connection’s internal state is about to be removed from memory. Bro generates this event reliably once for every connection when it is about to delete the internal state. As such, the event is well-suited for script-level cleanup that needs to be performed for every connection. This event is generated not only for TCP sessions but also for UDP and ICMP flows.

C:	The connection.

connection_status_update

Type:	`event` (c: `connection`)

Generated in regular intervals during the lifetime of a connection. The event is raised each connection_status_update_interval seconds and can be used to check conditions on a regular basis.

C:	The connection.

connection_timeout

Type:	`event` (c: `connection`)

Generated when a TCP connection timed out. This event is raised when no activity was seen for an interval of at least tcp_connection_linger, and either one endpoint has already closed the connection or one side never became active.

C:	The connection.

Note

The precise semantics of this event can be unintuitive as it only covers a subset of cases where a connection times out. Often, handling connection_state_remove is the better option. That one will be generated reliably when an interval of tcp_inactivity_timeout has passed without any activity seen (but also for all other ways a connection may terminate).

content_gap

Type:	`event` (c: `connection`, is_orig: `bool`, seq: `count`, length: `count`)

Generated when Bro detects a gap in a reassembled TCP payload stream. This event is raised when Bro, while reassembling a payload stream, determines that a chunk of payload is missing (e.g., because the responder has already acknowledged it, even though Bro didn’t see it).

C:	The connection.
Is_orig:	True if the gap is on the originator’s side.
Seq:	The sequence number where the gap starts.
Length:	The number of bytes missing.

Note

Content gaps tend to occur occasionally for various reasons, including broken TCP stacks. If, however, one finds lots of them, that typically means that there is a problem with the monitoring infrastructure such as a tap dropping packets, split routing on the path, or reordering at the tap.

dns_mapping_altered

Type:	`event` (dm: `dns_mapping`, old_addrs: `addr_set`, new_addrs: `addr_set`)

Generated when an internal DNS lookup produced a different result than in the past. Bro keeps an internal DNS cache for host names and IP addresses it has already resolved. This event is generated when a subsequent lookup returns a different answer than we have stored in the cache.

Dm:	A record describing the new resolver result.
Old_addrs:	Addresses that used to be part of the returned set for the query described by dm, but are not anymore.
New_addrs:	Addresses that were not part of the returned set for the query described by dm, but now are.

dns_mapping_lost_name

Type:	`event` (dm: `dns_mapping`)

Generated when an internal DNS lookup returned zero answers even though it had succeeded in the past. Bro keeps an internal DNS cache for host names and IP addresses it has already resolved. This event is generated when on a subsequent lookup we receive an answer that is empty even though we have already stored a result in the cache.

Dm:	A record describing the old resolver result.

dns_mapping_new_name

Type:	`event` (dm: `dns_mapping`)

Generated when an internal DNS lookup succeeded but an earlier attempt did not. Bro keeps an internal DNS cache for host names and IP addresses it has already resolved. This event is generated when a subsequent lookup produces an answer for a query that was marked as failed in the cache.

Dm:	A record describing the new resolver result.

dns_mapping_unverified

Type:	`event` (dm: `dns_mapping`)

Generated when an internal DNS lookup got no answer even though it had succeeded in the past. Bro keeps an internal DNS cache for host names and IP addresses it has already resolved. This event is generated when a subsequent lookup does not produce an answer even though we have already stored a result in the cache.

Dm:	A record describing the old resolver result.

dns_mapping_valid

Type:	`event` (dm: `dns_mapping`)

Generated when an internal DNS lookup produces the same result as last time. Bro keeps an internal DNS cache for host names and IP addresses it has already resolved. This event is generated when a subsequent lookup returns the same result as stored in the cache.

Dm:	A record describing the new resolver result (which matches the old one).

esp_packet

Type:	`event` (p: `pkt_hdr`)

Generated for any packets using the IPv6 Encapsulating Security Payload (ESP) extension header.

P:	Information from the header of the packet that triggered the event.

event_queue_flush_point

Type:	`event` ()

Marks a point in the event stream at which the event queue started flushing.

file_gap

Type:	`event` (f: `fa_file`, offset: `count`, len: `count`)

Indicates that a chunk of the file is missing.

F:	The file.
Offset:	The byte offset from the start of the file at which the gap begins.
Len:	The number of missing bytes.

file_new

Type:	`event` (f: `fa_file`)

Indicates that an analysis of a new file has begun. The analysis can be augmented at this time via Files::add_analyzer.

F:	The file.

file_opened

Type:	`event` (f: `file`)

Generated each time Bro’s script interpreter opens a file. This event is triggered only for files opened via open, and in particular not for normal log files as created by log writers.

F:	The opened file.

file_over_new_connection

Type:	`event` (f: `fa_file`, c: `connection`, is_orig: `bool`)

Indicates that a file has been seen being transferred over a connection different from the original.

F:	The file.
C:	The new connection over which the file is seen being transferred.
Is_orig:	true if the originator of c is the one sending the file.

file_reassembly_overflow

Type:	`event` (f: `fa_file`, offset: `count`, skipped: `count`)

Indicates that the file had an overflow of the reassembly buffer. This is a specialization of the file_gap event.

F:	The file.
Offset:	The byte offset from the start of the file at which the reassembly couldn’t continue due to running out of reassembly buffer space.
Skipped:	The number of bytes of the file skipped over to flush some file data and get back under the reassembly buffer size limit. This value will also be represented as a gap.

file_sniff

Type:	`event` (f: `fa_file`, meta: `fa_metadata`)

Provide all metadata that has been inferred about a particular file from inspection of the initial content that been seen at the beginning of the file. The analysis can be augmented at this time via Files::add_analyzer. The amount of data fed into the file sniffing can be increased or decreased by changing either default_file_bof_buffer_size or the bof_buffer_size field in an fa_file record. The event will be raised even if content inspection has been unable to infer any metadata, in which case the fields in meta will be left all unset.

F:	The file.
Meta:	Metadata that’s been discovered about the file.

file_state_remove

Type:	`event` (f: `fa_file`)

This event is generated each time file analysis is ending for a given file.

F:	The file.

file_timeout

Type:	`event` (f: `fa_file`)

Indicates that file analysis has timed out because no activity was seen for the file in a while.

F:	The file.

finished_send_state

Type:	`event` (p: `event_peer`)

Generated after a call to send_state when all data has been successfully sent to the remote side. While this event is intended primarily for use by Bro’s communication framework, it can also trigger additional code if helpful.

P:	A record describing the remote peer.

flow_weird

Type:	`event` (name: `string`, src: `addr`, dst: `addr`)

Generated for unexpected activity related to a pair of hosts, but independent of a specific connection. When Bro’s packet analysis encounters activity that does not conform to a protocol’s specification, it raises one of the *_weird events to report that. This event is raised if the activity is related to a pair of hosts, yet not to a specific connection between them.

Name:	A unique name for the specific type of “weird” situation. Bro’s default scripts use this name in filtering policies that specify which “weirds” are worth reporting.
Src:	The source address corresponding to the activity.
Dst:	The destination address corresponding to the activity.

See also: protocol_confirmation

Note

Bro’s default scripts use this event to disable an analyzer via disable_analyzer if it’s parsing the wrong protocol. That’s however a script-level decision and not done automatically by the event engine.

raw_packet

Type:	`event` (p: `raw_pkt_hdr`)

Generated for every packet Bro sees that have a valid link-layer header. This is a very very low-level and expensive event that should be avoided when at all possible. It’s usually infeasible to handle when processing even medium volumes of traffic in real-time. That said, if you work from a trace and want to do some packet-level analysis, it may come in handy.

P:	Information from the header of the packet that triggered the event.

remote_capture_filter

Type:	`event` (p: `event_peer`, filter: `string`)

Generated when a remote peer sent us a capture filter. While this event is intended primarily for use by Bro’s communication framework, it can also trigger additional code if helpful.

P:	A record describing the peer.
Filter:	The filter string sent by the peer.

remote_connection_closed

Type:	`event` (p: `event_peer`)

Generated when a connection to a remote Bro has been closed. This event is intended primarily for use by Bro’s communication framework, but it can also trigger additional code if helpful.

P:	A record describing the peer.

remote_connection_error

Type:	`event` (p: `event_peer`, reason: `string`)

Generated when a connection to a remote Bro encountered an error. This event is intended primarily for use by Bro’s communication framework, but it can also trigger additional code if helpful.

P:	A record describing the peer.
Reason:	A textual description of the error.

remote_connection_established

Type:	`event` (p: `event_peer`)

Generated when a connection to a remote Bro has been established. This event is intended primarily for use by Bro’s communication framework, but it can also trigger additional code if helpful.

P:	A record describing the peer.

remote_connection_handshake_done

Type:	`event` (p: `event_peer`)

Generated when a remote connection’s initial handshake has been completed. This event is intended primarily for use by Bro’s communication framework, but it can also trigger additional code if helpful.

P:	A record describing the peer.

remote_event_registered

Type:	`event` (p: `event_peer`, name: `string`)

Generated for each event registered by a remote peer. This event is intended primarily for use by Bro’s communication framework, but it can also trigger additional code if helpful.

P:	A record describing the peer.
Name:	TODO.

remote_log

Type:	`event` (level: `count`, src: `count`, msg: `string`)

Generated for communication log messages. While this event is intended primarily for use by Bro’s communication framework, it can also trigger additional code if helpful.

Level:	The log level, which is either `REMOTE_LOG_INFO` or `REMOTE_LOG_ERROR`.
Src:	The component of the communication system that logged the message. Currently, this will be one of `REMOTE_SRC_CHILD` (Bro’s child process), `REMOTE_SRC_PARENT` (Bro’s main process), or `REMOTE_SRC_SCRIPT` (the script level).
Msg:	The message logged.

remote_log_peer

Type:	`event` (p: `event_peer`, level: `count`, src: `count`, msg: `string`)

Generated for communication log messages. While this event is intended primarily for use by Bro’s communication framework, it can also trigger additional code if helpful. This event is equivalent to remote_log except the message is with respect to a certain peer.

P:	A record describing the remote peer.
Level:	The log level, which is either `REMOTE_LOG_INFO` or `REMOTE_LOG_ERROR`.
Src:	The component of the communication system that logged the message. Currently, this will be one of `REMOTE_SRC_CHILD` (Bro’s child process), `REMOTE_SRC_PARENT` (Bro’s main process), or `REMOTE_SRC_SCRIPT` (the script level).
Msg:	The message logged.

remote_pong

Type:	`event` (p: `event_peer`, seq: `count`, d1: `interval`, d2: `interval`, d3: `interval`)

Generated when a remote peer has answered to our ping. This event is part of Bro’s infrastructure for measuring communication latency. One can send a ping by calling send_ping and when a corresponding reply is received, this event will be raised.

P:	The peer sending us the pong.
Seq:	The sequence number passed to the original `send_ping` call. The number is sent back by the peer in its response.
D1:	The time interval between sending the ping and receiving the pong. This is the latency of the complete path.
D2:	The time interval between sending out the ping to the network and its reception at the peer. This is the network latency.
D3:	The time interval between when the peer’s child process received the ping and when its parent process sent the pong. This is the processing latency at the peer.

remote_state_access_performed

Type:	`event` (id: `string`, v: `any`)

Generated each time a remote state access has been replayed locally. This event is primarily intended for debugging.

Id:	The name of the Bro script variable that’s being operated on.
V:	The new value of the variable.

remote_state_inconsistency

Type:	`event` (operation: `string`, id: `string`, expected_old: `string`, real_old: `string`)

Generated if state synchronization detects an inconsistency. While this event is intended primarily for use by Bro’s communication framework, it can also trigger additional code if helpful. This event is only raised if remote_check_sync_consistency is false.

Operation:	The textual description of the state operation performed.
Id:	The name of the Bro script identifier that was operated on.
Expected_old:	A textual representation of the value of id that was expected to be found before the operation was carried out.
Real_old:	A textual representation of the value of id that was actually found before the operation was carried out. The difference between real_old and expected_old is the inconsistency being reported.

reporter_error

Type:	`event` (t: `time`, msg: `string`, location: `string`)
Attributes:	`&error_handler`

Raised for errors reported via Bro’s reporter framework. Such messages may be generated internally by the event engine and also by other scripts calling Reporter::error.

T:	The time the error was passed to the reporter.
Msg:	The error message.
Location:	A (potentially empty) string describing a location associated with the error.

Note

Bro will not call reporter events recursively. If the handler of any reporter event triggers a new reporter message itself, the output will go to stderr instead.

reporter_info

Type:	`event` (t: `time`, msg: `string`, location: `string`)
Attributes:	`&error_handler`

Raised for informational messages reported via Bro’s reporter framework. Such messages may be generated internally by the event engine and also by other scripts calling Reporter::info.

T:	The time the message was passed to the reporter.
Msg:	The message itself.
Location:	A (potentially empty) string describing a location associated with the message.

Note

Bro will not call reporter events recursively. If the handler of any reporter event triggers a new reporter message itself, the output will go to stderr instead.

reporter_warning

Type:	`event` (t: `time`, msg: `string`, location: `string`)
Attributes:	`&error_handler`

Raised for warnings reported via Bro’s reporter framework. Such messages may be generated internally by the event engine and also by other scripts calling Reporter::warning.

T:	The time the warning was passed to the reporter.
Msg:	The warning message.
Location:	A (potentially empty) string describing a location associated with the warning.

Note

Bro will not call reporter events recursively. If the handler of any reporter event triggers a new reporter message itself, the output will go to stderr instead.

rexmit_inconsistency

Type:	`event` (c: `connection`, t1: `string`, t2: `string`, tcp_flags: `string`)

Generated when Bro detects a TCP retransmission inconsistency. When reassembling a TCP stream, Bro buffers all payload until it sees the responder acking it. If during that time, the sender resends a chunk of payload but with different content than originally, this event will be raised. In addition, if tcp_max_old_segments is larger than zero, mismatches with that older still-buffered data will likewise trigger the event.

C:	The connection showing the inconsistency.
T1:	The original payload.
T2:	The new payload.
Tcp_flags:	A string with the TCP flags of the packet triggering the inconsistency. In the string, each character corresponds to one set flag, as follows: `S` -> SYN; `F` -> FIN; `R` -> RST; `A` -> ACK; `P` -> PUSH. This string will not always be set, only if the information is available; it’s “best effort”.

C:	The connection.
Os:	Statistics for the originator endpoint.
Rs:	Statistics for the responder endpoint.

Samples:	A set with functions and locations seen during the processing of the sampled packet.
CPU:	The CPU time spent on processing the sampled packet.
Dmem:	The difference in memory usage caused by processing the sampled packet.

Name:	The name of the event.
Params:	The event’s parameters.

C:	The connection the packet is part of.
Contents:	The raw transport-layer payload.

F:	The profiling file.
Expensive:	True if this event corresponds to heavier-weight profiling as indicated by the `expensive_profiling_multiple` variable.

base/bif/event.bif.bro

Summary

Events

Detailed Interface

Events

Table of Contents

Next Page

Previous Page

Name:	A unique name for the specific type of “weird” situation. Bro’s default scripts use this name in filtering policies that specify which “weirds” are worth reporting.
C:	The corresponding connection.
Addl:	Optional additional context further describing the situation.

Tag:	The analyzer which is carrying the file data.
C:	The connection which is carrying the file data.
Is_orig:	The direction the file data is flowing over the connection.

C:	The connection.
Atype:	The type of the analyzer confirming that its protocol is in use. The value is one of the `Analyzer::ANALYZER_*` constants. For example, `Analyzer::ANALYZER_HTTP` means the HTTP analyzer determined that it’s indeed parsing an HTTP connection.
Aid:	A unique integer ID identifying the specific instance of the analyzer atype that is analyzing the connection `c`. The ID can be used to reference the analyzer when using builtin functions like `disable_analyzer`.

C:	The connection.
A:	The analyzer that was scheduled for the connection with the `Analyzer::schedule_analyzer` call. When the event is raised, that analyzer will already have been activated to process the connection. The `count` is one of the `ANALYZER_*` constants, e.g., `ANALYZER_HTTP`.

State:	Context about the match, including which signatures triggered the event and the connection for which the match was found.
Msg:	The message passed to the `event` signature action.
Data:	The last chunk of input that triggered the match. Note that the specifics here are not well-defined as Bro does not buffer any input. If a match is split across packet boundaries, only the last chunk triggering the match will be passed on to the event.

C:	The connection.
Host:	The host running the reported software.
Descr:	The raw (unparsed) software identification string as extracted from the protocol.

C:	The connection whose tunnel/encapsulation changed.
E:	The new encapsulation.

base/bif/event.bif.bro

Summary

Events

Detailed Interface

Events

Table of Contents

Next Page

Previous Page

Search