GLOBAL¶| Namespace: | GLOBAL | 
|---|---|
| Source File: | /scripts/base/bif/plugins/Bro_RPC.events.bif.bro | 
| mount_proc_mnt:event | Generated for MOUNT3 request/reply dialogues of type mnt. | 
| mount_proc_not_implemented:event | Generated for MOUNT3 request/reply dialogues of a type that Bro’s MOUNTv3 analyzer does not implement. | 
| mount_proc_null:event | Generated for MOUNT3 request/reply dialogues of type null. | 
| mount_proc_umnt:event | Generated for MOUNT3 request/reply dialogues of type umnt. | 
| mount_proc_umnt_all:event | Generated for MOUNT3 request/reply dialogues of type umnt_all. | 
| mount_reply_status:event | Generated for each MOUNT3 reply message received, reporting just the status included. | 
| nfs_proc_create:event | Generated for NFSv3 request/reply dialogues of type create. | 
| nfs_proc_getattr:event | Generated for NFSv3 request/reply dialogues of type getattr. | 
| nfs_proc_link:event | Generated for NFSv3 request/reply dialogues of type link. | 
| nfs_proc_lookup:event | Generated for NFSv3 request/reply dialogues of type lookup. | 
| nfs_proc_mkdir:event | Generated for NFSv3 request/reply dialogues of type mkdir. | 
| nfs_proc_not_implemented:event | Generated for NFSv3 request/reply dialogues of a type that Bro’s NFSv3 analyzer does not implement. | 
| nfs_proc_null:event | Generated for NFSv3 request/reply dialogues of type null. | 
| nfs_proc_read:event | Generated for NFSv3 request/reply dialogues of type read. | 
| nfs_proc_readdir:event | Generated for NFSv3 request/reply dialogues of type readdir. | 
| nfs_proc_readlink:event | Generated for NFSv3 request/reply dialogues of type readlink. | 
| nfs_proc_remove:event | Generated for NFSv3 request/reply dialogues of type remove. | 
| nfs_proc_rename:event | Generated for NFSv3 request/reply dialogues of type rename. | 
| nfs_proc_rmdir:event | Generated for NFSv3 request/reply dialogues of type rmdir. | 
| nfs_proc_sattr:event | Generated for NFSv3 request/reply dialogues of type sattr. | 
| nfs_proc_symlink:event | Generated for NFSv3 request/reply dialogues of type symlink. | 
| nfs_proc_write:event | Generated for NFSv3 request/reply dialogues of type write. | 
| nfs_reply_status:event | Generated for each NFSv3 reply message received, reporting just the status included. | 
| pm_attempt_callit:event | Generated for failed Portmapper requests of type callit. | 
| pm_attempt_dump:event | Generated for failed Portmapper requests of type dump. | 
| pm_attempt_getport:event | Generated for failed Portmapper requests of type getport. | 
| pm_attempt_null:event | Generated for failed Portmapper requests of type null. | 
| pm_attempt_set:event | Generated for failed Portmapper requests of type set. | 
| pm_attempt_unset:event | Generated for failed Portmapper requests of type unset. | 
| pm_bad_port:event | Generated for Portmapper requests or replies that include an invalid port number. | 
| pm_request_callit:event | Generated for Portmapper request/reply dialogues of type callit. | 
| pm_request_dump:event | Generated for Portmapper request/reply dialogues of type dump. | 
| pm_request_getport:event | Generated for Portmapper request/reply dialogues of type getport. | 
| pm_request_null:event | Generated for Portmapper requests of type null. | 
| pm_request_set:event | Generated for Portmapper request/reply dialogues of type set. | 
| pm_request_unset:event | Generated for Portmapper request/reply dialogues of type unset. | 
| rpc_call:event | Generated for RPC call messages. | 
| rpc_dialogue:event | Generated for RPC request/reply pairs. | 
| rpc_reply:event | Generated for RPC reply messages. | 
mount_proc_mnt¶| Type: | event(c:connection, info:MOUNT3::info_t, req:MOUNT3::dirmntargs_t, rep:MOUNT3::mnt_reply_t) | 
|---|
Generated for MOUNT3 request/reply dialogues of type mnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | The arguments passed in the request. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
mount_proc_not_implemented¶| Type: | event(c:connection, info:MOUNT3::info_t, proc:MOUNT3::proc_t) | 
|---|
Generated for MOUNT3 request/reply dialogues of a type that Bro’s MOUNTv3 analyzer does not implement.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Proc: | The procedure called that Bro does not implement. | 
See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
mount_proc_null¶| Type: | event(c:connection, info:MOUNT3::info_t) | 
|---|
Generated for MOUNT3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
mount_proc_umnt¶| Type: | event(c:connection, info:MOUNT3::info_t, req:MOUNT3::dirmntargs_t) | 
|---|
Generated for MOUNT3 request/reply dialogues of type umnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | The arguments passed in the request. | 
See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
mount_proc_umnt_all¶| Type: | event(c:connection, info:MOUNT3::info_t, req:MOUNT3::dirmntargs_t) | 
|---|
Generated for MOUNT3 request/reply dialogues of type umnt_all. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | The arguments passed in the request. | 
See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
mount_reply_status¶| Type: | event(n:connection, info:MOUNT3::info_t) | 
|---|
Generated for each MOUNT3 reply message received, reporting just the status included.
| N: | The connection. | 
|---|---|
| Info: | Reports the status included in the reply. | 
See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_create¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::diropargs_t, rep:NFS3::newobj_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type create. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | TODO. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_getattr¶| Type: | event(c:connection, info:NFS3::info_t, fh:string, attrs:NFS3::fattr_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type getattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Fh: | TODO. | 
| Attrs: | The attributes returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply, file_mode
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_link¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::linkargs_t, rep:NFS3::link_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type link. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | The arguments passed in the request. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, nfs_proc_symlink, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_lookup¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::diropargs_t, rep:NFS3::lookup_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type lookup. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | The arguments passed in the request. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_mkdir¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::diropargs_t, rep:NFS3::newobj_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type mkdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | TODO. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_not_implemented¶| Type: | event(c:connection, info:NFS3::info_t, proc:NFS3::proc_t) | 
|---|
Generated for NFSv3 request/reply dialogues of a type that Bro’s NFSv3 analyzer does not implement.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Proc: | The procedure called that Bro does not implement. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_null¶| Type: | event(c:connection, info:NFS3::info_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_read¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::readargs_t, rep:NFS3::read_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type read. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | The arguments passed in the request. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply, NFS3::return_data, NFS3::return_data_first_only, NFS3::return_data_max
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_readdir¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::readdirargs_t, rep:NFS3::readdir_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type readdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | TODO. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_readlink¶| Type: | event(c:connection, info:NFS3::info_t, fh:string, rep:NFS3::readlink_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type readlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Fh: | The file handle passed in the request. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, nfs_proc_symlink, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_remove¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::diropargs_t, rep:NFS3::delobj_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type remove. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | TODO. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_rename¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::renameopargs_t, rep:NFS3::renameobj_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type rename. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | TODO. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_rmdir¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::diropargs_t, rep:NFS3::delobj_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type rmdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | TODO. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_sattr¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::sattrargs_t, rep:NFS3::sattr_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type sattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | The arguments passed in the request. | 
| Rep: | The attributes returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply, file_mode
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_symlink¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::symlinkargs_t, rep:NFS3::newobj_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type symlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | The arguments passed in the request. | 
| Rep: | The attributes returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, nfs_proc_link, rpc_call, rpc_dialogue, rpc_reply, file_mode
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_proc_write¶| Type: | event(c:connection, info:NFS3::info_t, req:NFS3::writeargs_t, rep:NFS3::write_reply_t) | 
|---|
Generated for NFSv3 request/reply dialogues of type write. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
| C: | The RPC connection. | 
|---|---|
| Info: | Reports the status of the dialogue, along with some meta information. | 
| Req: | TODO. | 
| Rep: | The response returned in the reply. The values may not be valid if the request was unsuccessful. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply, NFS3::return_data, NFS3::return_data_first_only, NFS3::return_data_max
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
nfs_reply_status¶| Type: | event(n:connection, info:NFS3::info_t) | 
|---|
Generated for each NFSv3 reply message received, reporting just the status included.
| N: | The connection. | 
|---|---|
| Info: | Reports the status included in the reply. | 
See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_callit¶| Type: | event(r:connection, status:rpc_status, call:pm_callit_request) | 
|---|
Generated for failed Portmapper requests of type callit.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| Status: | The status of the reply, which should be one of the index values of RPC_status. | 
| Call: | The argument to the original request. | 
See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_dump¶| Type: | event(r:connection, status:rpc_status) | 
|---|
Generated for failed Portmapper requests of type dump.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| Status: | The status of the reply, which should be one of the index values of RPC_status. | 
See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_getport¶| Type: | event(r:connection, status:rpc_status, pr:pm_port_request) | 
|---|
Generated for failed Portmapper requests of type getport.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| Status: | The status of the reply, which should be one of the index values of RPC_status. | 
| Pr: | The argument to the original request. | 
See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_null¶| Type: | event(r:connection, status:rpc_status) | 
|---|
Generated for failed Portmapper requests of type null.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| Status: | The status of the reply, which should be one of the index values of RPC_status. | 
See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_set¶| Type: | event(r:connection, status:rpc_status, m:pm_mapping) | 
|---|
Generated for failed Portmapper requests of type set.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| Status: | The status of the reply, which should be one of the index values of RPC_status. | 
| M: | The argument to the original request. | 
See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_attempt_unset¶| Type: | event(r:connection, status:rpc_status, m:pm_mapping) | 
|---|
Generated for failed Portmapper requests of type unset.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| Status: | The status of the reply, which should be one of the index values of RPC_status. | 
| M: | The argument to the original request. | 
See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_bad_port¶| Type: | event(r:connection, bad_p:count) | 
|---|
Generated for Portmapper requests or replies that include an invalid port number. Since ports are represented by unsigned 4-byte integers, they can stray outside the allowed range of 0–65535 by being >= 65536. If so, this event is generated.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| Bad_p: | The invalid port value. | 
See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_callit¶| Type: | event(r:connection, call:pm_callit_request, p:port) | 
|---|
Generated for Portmapper request/reply dialogues of type callit.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| Call: | The argument to the request. | 
| P: | The port value returned by the call. | 
See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_dump¶| Type: | event(r:connection, m:pm_mappings) | 
|---|
Generated for Portmapper request/reply dialogues of type dump.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| M: | The mappings returned by the server. | 
See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_getport¶| Type: | event(r:connection, pr:pm_port_request, p:port) | 
|---|
Generated for Portmapper request/reply dialogues of type getport.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| Pr: | The argument to the request. | 
| P: | The port returned by the server. | 
See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_null¶| Type: | event(r:connection) | 
|---|
Generated for Portmapper requests of type null.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|
See also: pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_set¶| Type: | event(r:connection, m:pm_mapping, success:bool) | 
|---|
Generated for Portmapper request/reply dialogues of type set.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| M: | The argument to the request. | 
| Success: | True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out. | 
See also: pm_request_null, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pm_request_unset¶| Type: | event(r:connection, m:pm_mapping, success:bool) | 
|---|
Generated for Portmapper request/reply dialogues of type unset.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
| R: | The RPC connection. | 
|---|---|
| M: | The argument to the request. | 
| Success: | True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out. | 
See also: pm_request_null, pm_request_set, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
rpc_call¶| Type: | event(c:connection, xid:count, prog:count, ver:count, proc:count, call_len:count) | 
|---|
Generated for RPC call messages.
See Wikipedia for more information about the ONC RPC protocol.
| C: | The connection. | 
|---|---|
| Xid: | The transaction identifier allowing to match requests with replies. | 
| Prog: | The remote program to call. | 
| Ver: | The version of the remote program to call. | 
| Proc: | The procedure of the remote program to call. | 
| Call_len: | The size of the call_body PDU. | 
See also: rpc_dialogue, rpc_reply, dce_rpc_bind, dce_rpc_message, dce_rpc_request, dce_rpc_response, rpc_timeout
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports or a DPD payload
signature.
rpc_dialogue¶| Type: | event(c:connection, prog:count, ver:count, proc:count, status:rpc_status, start_time:time, call_len:count, reply_len:count) | 
|---|
Generated for RPC request/reply pairs. The RPC analyzer associates request
and reply by their transaction identifiers and raises this event once both
have been seen. If there’s not a reply, this event will still be generated
eventually on timeout. In that case, status will be set to
RPC_TIMEOUT.
See Wikipedia for more information about the ONC RPC protocol.
| C: | The connection. | 
|---|---|
| Prog: | The remote program to call. | 
| Ver: | The version of the remote program to call. | 
| Proc: | The procedure of the remote program to call. | 
| Status: | The status of the reply, which should be one of the index values of RPC_status. | 
| Start_time: | The time when the call was seen. | 
| Call_len: | The size of the call_body PDU. | 
| Reply_len: | The size of the reply_body PDU. | 
See also: rpc_call, rpc_reply, dce_rpc_bind, dce_rpc_message, dce_rpc_request, dce_rpc_response, rpc_timeout
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports or a DPD payload
signature.
rpc_reply¶| Type: | event(c:connection, xid:count, status:rpc_status, reply_len:count) | 
|---|
Generated for RPC reply messages.
See Wikipedia for more information about the ONC RPC protocol.
| C: | The connection. | 
|---|---|
| Xid: | The transaction identifier allowing to match requests with replies. | 
| Status: | The status of the reply, which should be one of the index values of RPC_status. | 
| Reply_len: | The size of the reply_body PDU. | 
See also: rpc_call, rpc_dialogue, dce_rpc_bind, dce_rpc_message, dce_rpc_request, dce_rpc_response, rpc_timeout
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports or a DPD payload
signature.
