base/bif/plugins/Bro_DCE_RPC.events.bif.bro
-
GLOBAL
| Namespace: | GLOBAL |
|---|---|
| Source File: | /scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro |
Summary
Events
dce_rpc_bind: event |
Generated for every DCE-RPC bind request message. |
dce_rpc_bind_ack: event |
Generated for every DCE-RPC bind request ack message. |
dce_rpc_message: event |
Generated for every DCE-RPC message. |
dce_rpc_request: event |
Generated for every DCE-RPC request message. |
dce_rpc_response: event |
Generated for every DCE-RPC response message. |
Detailed Interface
Events
-
dce_rpc_bind Type: event(c:connection, fid:count, uuid:string, ver_major:count, ver_minor:count)Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Uuid: The string interpretted uuid of the endpoint being requested. Ver_major: The major version of the endpoint being requested. Ver_minor: The minor version of the endpoint being requested. See also:
dce_rpc_message,dce_rpc_bind_ack,dce_rpc_request,dce_rpc_response
-
dce_rpc_bind_ack Type: event(c:connection, fid:count, sec_addr:string)Generated for every DCE-RPC bind request ack message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Sec_addr: Secondary address for the ack. See also:
dce_rpc_message,dce_rpc_bind,dce_rpc_request,dce_rpc_response
-
dce_rpc_message Type: event(c:connection, is_orig:bool, fid:count, ptype_id:count, ptype:DCE_RPC::PType)Generated for every DCE-RPC message.
C: The connection. Is_orig: True if the message was sent by the originator of the TCP connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ptype_id: Numeric representation of the procedure type of the message. Ptype: Enum representation of the prodecure type of the message. See also:
dce_rpc_bind,dce_rpc_bind_ack,dce_rpc_request,dce_rpc_response
-
dce_rpc_request Type: event(c:connection, fid:count, opnum:count, stub_len:count)Generated for every DCE-RPC request message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Opnum: Number of the RPC operation. Stub_len: Length of the data for the request. See also:
dce_rpc_message,dce_rpc_bind,dce_rpc_bind_ack,dce_rpc_response
-
dce_rpc_response Type: event(c:connection, fid:count, opnum:count, stub_len:count)Generated for every DCE-RPC response message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Opnum: Number of the RPC operation. Stub_len: Length of the data for the response. See also:
dce_rpc_message,dce_rpc_bind,dce_rpc_bind_ack,dce_rpc_request
