base/bif/plugins/Bro_MIME.events.bif.bro

GLOBAL

Namespace:	GLOBAL
Source File:	`/scripts/base/bif/plugins/Bro_MIME.events.bif.bro`

Summary

Events

`mime_all_data`: `event`	Generated for passing on all data decoded from a single email MIME message.
`mime_all_headers`: `event`	Generated for MIME headers extracted from email MIME entities, passing all headers at once.
`mime_begin_entity`: `event`	Generated when starting to parse an email MIME entity.
`mime_content_hash`: `event`	Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums.
`mime_end_entity`: `event`	Generated when finishing parsing an email MIME entity.
`mime_entity_data`: `event`	Generated for data decoded from an email MIME entity.
`mime_event`: `event`	Generated for errors found when decoding email MIME entities.
`mime_one_header`: `event`	Generated for individual MIME headers extracted from email MIME entities.
`mime_segment_data`: `event`	Generated for chunks of decoded MIME data from email MIME entities.

Detailed Interface

Events

mime_all_data

Type:	`event` (c: `connection`, length: `count`, data: `string`)

Generated for passing on all data decoded from a single email MIME message. If an email message has more than one MIME entity, this event combines all their data into a single value for analysis. Note that because of the potentially significant buffering necessary, using this event can be expensive.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:	The connection.
Length:	The length of data.
Data:	The raw data of all MIME entities concatenated.

Note

While Bro also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_all_headers

Type:	`event` (c: `connection`, hlist: `mime_header_list`)

Generated for MIME headers extracted from email MIME entities, passing all headers at once. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:	The connection.
Hlist:	A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).

Note

Bro also extracts MIME headers from HTTP sessions. For those, however, it raises http_header instead.

mime_begin_entity

Type:	`event` (c: `connection`)

Generated when starting to parse an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Bro raises this event when it begins parsing a MIME entity extracted from an email protocol.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:	The connection.

Note

Bro also extracts MIME entities from HTTP sessions. For those, however, it raises http_begin_entity instead.

mime_content_hash

Type:	`event` (c: `connection`, content_len: `count`, hash_value: `string`)

Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums. Bro computes the MD5 over the complete decoded data of each MIME entity.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:	The connection.
Content_len:	The length of the entity being hashed.
Hash_value:	The MD5 hash.

Note

While Bro also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_end_entity

Type:	`event` (c: `connection`)

Generated when finishing parsing an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Bro raises this event when it finished parsing a MIME entity extracted from an email protocol.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:	The connection.

Note

Bro also extracts MIME entities from HTTP sessions. For those, however, it raises http_end_entity instead.

mime_entity_data

Type:	`event` (c: `connection`, length: `count`, data: `string`)

Generated for data decoded from an email MIME entity. This event delivers the complete content of a single MIME entity with the quoted-printable and and base64 data decoded. In contrast, there is also mime_segment_data, which passes on a sequence of data chunks as they come in. While mime_entity_data is more convenient to handle, mime_segment_data is more efficient as Bro does not need to buffer the data. Thus, if possible, the latter should be preferred.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:	The connection.
Length:	The length of data.
Data:	The raw data of the complete entity.

Note

While Bro also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_event

Type:	`event` (c: `connection`, event_type: `string`, detail: `string`)

Generated for errors found when decoding email MIME entities.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:	The connection.
Event_type:	A string describing the general category of the problem found (e.g., `illegal format`).
Detail:	Further more detailed description of the error.

Note

Bro also extracts MIME headers from HTTP sessions. For those, however, it raises http_event instead.

mime_one_header

Type:	`event` (c: `connection`, h: `mime_header_rec`)

Generated for individual MIME headers extracted from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:	The connection.
H:	The parsed MIME header.

Note

Bro also extracts MIME headers from HTTP sessions. For those, however, it raises http_header instead.

mime_segment_data

Type:	`event` (c: `connection`, length: `count`, data: `string`)

Generated for chunks of decoded MIME data from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. As Bro parses the data of an entity, it raises a sequence of these events, each coming as soon as a new chunk of data is available. In contrast, there is also mime_entity_data, which passes all of an entities data at once in a single block. While the latter is more convenient to handle, mime_segment_data is more efficient as Bro does not need to buffer the data. Thus, if possible, this event should be preferred.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:	The connection.
Length:	The length of data.
Data:	The raw data of one segment of the current entity.

Note

Bro also extracts MIME data from HTTP sessions. For those, however, it raises http_entity_data (sic!) instead.

base/bif/plugins/Bro_MIME.events.bif.bro

Summary

Events

Detailed Interface

Events

Table of Contents

Next Page

Previous Page

base/bif/plugins/Bro_MIME.events.bif.bro

Summary

Events

Detailed Interface

Events

Table of Contents

Next Page

Previous Page

Search