Contents
Analyzer::Tag
¶Type: |
|
---|
ARP Parsing
arp_request
¶Type: | event (mac_src: string , mac_dst: string , SPA: addr , SHA: string , TPA: addr , THA: string ) |
---|
Generated for ARP requests.
See Wikipedia for more information about the ARP protocol.
Mac_src: | The request’s source MAC address. |
---|---|
Mac_dst: | The request’s destination MAC address. |
SPA: | The sender protocol address. |
SHA: | The sender hardware address. |
TPA: | The target protocol address. |
THA: | The target hardware address. |
arp_reply
¶Type: | event (mac_src: string , mac_dst: string , SPA: addr , SHA: string , TPA: addr , THA: string ) |
---|
Generated for ARP replies.
See Wikipedia for more information about the ARP protocol.
Mac_src: | The reply’s source MAC address. |
---|---|
Mac_dst: | The reply’s destination MAC address. |
SPA: | The sender protocol address. |
SHA: | The sender hardware address. |
TPA: | The target protocol address. |
THA: | The target hardware address. |
See also: arp_request
, bad_arp
bad_arp
¶Type: | event (SPA: addr , SHA: string , TPA: addr , THA: string , explanation: string ) |
---|
Generated for ARP packets that Bro cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.
SPA: | The sender protocol address. |
---|---|
SHA: | The sender hardware address. |
TPA: | The target protocol address. |
THA: | The target hardware address. |
Explanation: | A short description of why the ARP packet is considered “bad”. |
See also: arp_reply
, arp_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Backdoor Analyzer deprecated
backdoor_stats
¶Type: | event (c: connection , os: backdoor_endp_stats , rs: backdoor_endp_stats ) |
---|
Deprecated. Will be removed.
backdoor_remove_conn
¶Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
ftp_signature_found
¶Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
gnutella_signature_found
¶Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
http_signature_found
¶Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
irc_signature_found
¶Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
telnet_signature_found
¶Type: | event (c: connection , is_orig: bool , len: count ) |
---|
Deprecated. Will be removed.
ssh_signature_found
¶Type: | event (c: connection , is_orig: bool ) |
---|
Deprecated. Will be removed.
rlogin_signature_found
¶Type: | event (c: connection , is_orig: bool , num_null: count , len: count ) |
---|
Deprecated. Will be removed.
smtp_signature_found
¶Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
http_proxy_signature_found
¶Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
BitTorrent Analyzer
bittorrent_peer_handshake
¶Type: | event (c: connection , is_orig: bool , reserved: string , info_hash: string , peer_id: string ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_keep_alive
¶Type: | event (c: connection , is_orig: bool ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_choke
¶Type: | event (c: connection , is_orig: bool ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_unchoke
¶Type: | event (c: connection , is_orig: bool ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_interested
¶Type: | event (c: connection , is_orig: bool ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_not_interested
¶Type: | event (c: connection , is_orig: bool ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_have
¶Type: | event (c: connection , is_orig: bool , piece_index: count ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_bitfield
¶Type: | event (c: connection , is_orig: bool , bitfield: string ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_request
¶Type: | event (c: connection , is_orig: bool , index: count , begin: count , length: count ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_piece
¶Type: | event (c: connection , is_orig: bool , index: count , begin: count , piece_length: count ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_cancel
¶Type: | event (c: connection , is_orig: bool , index: count , begin: count , length: count ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_port
¶Type: | event (c: connection , is_orig: bool , listen_port: port ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bittorrent_peer_unknown
¶Type: | event (c: connection , is_orig: bool , message_id: count , data: string ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_weird
bittorrent_peer_weird
¶Type: | event (c: connection , is_orig: bool , msg: string ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
bt_tracker_request
¶Type: | event (c: connection , uri: string , headers: bt_tracker_headers ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bt_tracker_response
¶Type: | event (c: connection , status: count , headers: bt_tracker_headers , peers: bittorrent_peer_set , benc: bittorrent_benc_dir ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bt_tracker_response_not_ok
¶Type: | event (c: connection , status: count , headers: bt_tracker_headers ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
bt_tracker_weird
¶Type: | event (c: connection , is_orig: bool , msg: string ) |
---|
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also: bittorrent_peer_bitfield
, bittorrent_peer_cancel
, bittorrent_peer_choke
, bittorrent_peer_handshake
, bittorrent_peer_have
, bittorrent_peer_interested
, bittorrent_peer_keep_alive
, bittorrent_peer_not_interested
, bittorrent_peer_piece
, bittorrent_peer_port
, bittorrent_peer_request
, bittorrent_peer_unchoke
, bittorrent_peer_unknown
, bittorrent_peer_weird
Connection size analyzer
conn_bytes_threshold_crossed
¶Type: | event (c: connection , threshold: count , is_orig: bool ) |
---|
Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.
C: | the connection |
---|---|
Threshold: | the threshold that was set |
Is_orig: | true if the threshold was crossed by the originator of the connection |
See also: set_current_conn_packets_threshold
, set_current_conn_bytes_threshold
, conn_packets_threshold_crossed
, get_current_conn_bytes_threshold
, get_current_conn_packets_threshold
conn_packets_threshold_crossed
¶Type: | event (c: connection , threshold: count , is_orig: bool ) |
---|
Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.
C: | the connection |
---|---|
Threshold: | the threshold that was set |
Is_orig: | true if the threshold was crossed by the originator of the connection |
See also: set_current_conn_packets_threshold
, set_current_conn_bytes_threshold
, conn_bytes_threshold_crossed
, get_current_conn_bytes_threshold
, get_current_conn_packets_threshold
set_current_conn_bytes_threshold
¶Type: | function (cid: conn_id , threshold: count , is_orig: bool ) : bool |
---|
Sets the current byte threshold for connection sizes, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_bytes_threshold).
Cid: | The connection id. |
---|---|
Threshold: | Threshold in bytes. |
Is_orig: | If true, threshold is set for bytes from originator, otherwhise for bytes from responder. |
See also: set_current_conn_packets_threshold
, conn_bytes_threshold_crossed
, conn_packets_threshold_crossed
, get_current_conn_bytes_threshold
, get_current_conn_packets_threshold
set_current_conn_packets_threshold
¶Type: | function (cid: conn_id , threshold: count , is_orig: bool ) : bool |
---|
Sets a threshold for connection packets, overwtiting any potential old thresholds. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_packets_threshold).
Cid: | The connection id. |
---|---|
Threshold: | Threshold in packets. |
Is_orig: | If true, threshold is set for packets from originator, otherwhise for packets from responder. |
See also: set_current_conn_bytes_threshold
, conn_bytes_threshold_crossed
, conn_packets_threshold_crossed
, get_current_conn_bytes_threshold
, get_current_conn_packets_threshold
get_current_conn_bytes_threshold
¶Type: | function (cid: conn_id , is_orig: bool ) : count |
---|
Gets the current byte threshold size for a connection.
Cid: | The connection id. |
---|---|
Is_orig: | If true, threshold of originator, otherwhise threshold of responder. |
Returns: | 0 if no threshold is set or the threshold in bytes |
See also: set_current_conn_packets_threshold
, conn_bytes_threshold_crossed
, conn_packets_threshold_crossed
, get_current_conn_packets_threshold
get_current_conn_packets_threshold
¶Type: | function (cid: conn_id , is_orig: bool ) : count |
---|
Gets the current packet threshold size for a connection.
Cid: | The connection id. |
---|---|
Is_orig: | If true, threshold of originator, otherwhise threshold of responder. |
Returns: | 0 if no threshold is set or the threshold in packets |
See also: set_current_conn_packets_threshold
, conn_bytes_threshold_crossed
, conn_packets_threshold_crossed
, get_current_conn_bytes_threshold
DCE-RPC analyzer
DCE_RPC::PType
¶Type: |
|
---|
dce_rpc_message
¶Type: | event (c: connection , is_orig: bool , fid: count , ptype_id: count , ptype: DCE_RPC::PType ) |
---|
Generated for every DCE-RPC message.
C: | The connection. |
---|---|
Is_orig: | True if the message was sent by the originator of the TCP connection. |
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
Ptype_id: | Numeric representation of the procedure type of the message. |
Ptype: | Enum representation of the prodecure type of the message. |
See also: dce_rpc_bind
, dce_rpc_bind_ack
, dce_rpc_request
, dce_rpc_response
dce_rpc_bind
¶Type: | event (c: connection , fid: count , ctx_id: count , uuid: string , ver_major: count , ver_minor: count ) |
---|
Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
C: | The connection. |
---|---|
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
Ctx_id: | The context identifier of the data representation. |
Uuid: | The string interpretted uuid of the endpoint being requested. |
Ver_major: | The major version of the endpoint being requested. |
Ver_minor: | The minor version of the endpoint being requested. |
See also: dce_rpc_message
, dce_rpc_bind_ack
, dce_rpc_request
, dce_rpc_response
dce_rpc_alter_context
¶Type: | event (c: connection , fid: count , ctx_id: count , uuid: string , ver_major: count , ver_minor: count ) |
---|
Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
C: | The connection. |
---|---|
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
Ctx_id: | The context identifier of the data representation. |
Uuid: | The string interpretted uuid of the endpoint being requested. |
Ver_major: | The major version of the endpoint being requested. |
Ver_minor: | The minor version of the endpoint being requested. |
See also: dce_rpc_message
, dce_rpc_bind
, dce_rpc_bind_ack
, dce_rpc_request
, dce_rpc_response
, dce_rpc_alter_context_resp
dce_rpc_bind_ack
¶Type: | event (c: connection , fid: count , sec_addr: string ) |
---|
Generated for every DCE-RPC bind request ack message.
C: | The connection. |
---|---|
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
Sec_addr: | Secondary address for the ack. |
See also: dce_rpc_message
, dce_rpc_bind
, dce_rpc_request
, dce_rpc_response
dce_rpc_alter_context_resp
¶Type: | event (c: connection , fid: count ) |
---|
Generated for every DCE-RPC alter context response message.
C: | The connection. |
---|---|
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
See also: dce_rpc_message
, dce_rpc_bind
, dce_rpc_bind_ack
, dce_rpc_request
, dce_rpc_response
, dce_rpc_alter_context
dce_rpc_request
¶Type: | event (c: connection , fid: count , ctx_id: count , opnum: count , stub_len: count ) |
---|
Generated for every DCE-RPC request message.
C: | The connection. |
---|---|
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
Ctx_id: | The context identifier of the data representation. |
Opnum: | Number of the RPC operation. |
Stub_len: | Length of the data for the request. |
See also: dce_rpc_message
, dce_rpc_bind
, dce_rpc_bind_ack
, dce_rpc_response
dce_rpc_response
¶Type: | event (c: connection , fid: count , ctx_id: count , opnum: count , stub_len: count ) |
---|
Generated for every DCE-RPC response message.
C: | The connection. |
---|---|
Fid: | File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. |
Ctx_id: | The context identifier of the data representation. |
Opnum: | Number of the RPC operation. |
Stub_len: | Length of the data for the response. |
See also: dce_rpc_message
, dce_rpc_bind
, dce_rpc_bind_ack
, dce_rpc_request
DHCP analyzer
DHCP::Msg
¶Type: |
flags:
|
---|
A DHCP message. .. bro:see:: dhcp_message
DHCP::Addrs
¶Type: | vector of addr |
---|
A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.
See also: dhcp_message
DHCP::SubOpt
¶Type: |
code: value: |
---|
DHCP Relay Agent Information Option (Option 82) .. bro:see:: dhcp_message
DHCP::SubOpts
¶Type: | vector of DHCP::SubOpt |
---|
DHCP::ClientFQDN
¶Type: |
---|
DHCP Client FQDN Option information (Option 81)
DHCP::ClientID
¶Type: |
hwtype: hwaddr: |
---|
DHCP Client Identifier (Option 61) .. bro:see:: dhcp_message
DHCP::Options
¶Type: |
|
---|
dhcp_message
¶Type: | event (c: connection , is_orig: bool , msg: DHCP::Msg , options: DHCP::Options ) |
---|
Generated for all DHCP messages.
C: | The connection record describing the underlying UDP flow. |
---|---|
Is_orig: | Indicate if the message came in a packet from the originator/client of the udp flow or the responder/server. |
Msg: | The parsed type-independent part of the DHCP message. The message type is indicated in this record. |
Options: | The full set of supported and parsed DHCP options. |
DNP3 UDP/TCP analyzers
dnp3_application_request_header
¶Type: | event (c: connection , is_orig: bool , application: count , fc: count ) |
---|
Generated for a DNP3 request header.
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Fc: | function code. |
dnp3_application_response_header
¶Type: | event (c: connection , is_orig: bool , application: count , fc: count , iin: count ) |
---|
Generated for a DNP3 response header.
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Fc: | function code. |
Iin: | internal indication number. |
dnp3_object_header
¶Type: | event (c: connection , is_orig: bool , obj_type: count , qua_field: count , number: count , rf_low: count , rf_high: count ) |
---|
Generated for the object header found in both DNP3 requests and responses.
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Obj_type: | type of object, which is classified based on an 8-bit group number and an 8-bit variation number. |
Qua_field: | qualifier field. |
Number: | TODO. |
Rf_low: | the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values. |
Rf_high: | in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index. |
dnp3_object_prefix
¶Type: | event (c: connection , is_orig: bool , prefix_value: count ) |
---|
Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Prefix_value: | The prefix. |
dnp3_header_block
¶Type: | event (c: connection , is_orig: bool , len: count , ctrl: count , dest_addr: count , src_addr: count ) |
---|
Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Len: | the “length” field in the DNP3 Pseudo Link Layer. |
Ctrl: | the “control” field in the DNP3 Pseudo Link Layer. |
Dest_addr: | the “destination” field in the DNP3 Pseudo Link Layer. |
Src_addr: | the “source” field in the DNP3 Pseudo Link Layer. |
dnp3_response_data_object
¶Type: | event (c: connection , is_orig: bool , data_value: count ) |
---|
Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16, or int8; thus we use an additional data_value to record the values of those object data.
C: | The connection the DNP3 communication is part of. |
---|---|
Is_orig: | True if this reflects originator-side activity. |
Data_value: | The value for those objects that carry their information here directly. |
dnp3_attribute_common
¶Type: | event (c: connection , is_orig: bool , data_type_code: count , leng: count , attribute_obj: string ) |
---|
Generated for DNP3 attributes.
dnp3_crob
¶Type: | event (c: connection , is_orig: bool , control_code: count , count8: count , on_time: count , off_time: count , status_code: count ) |
---|
Generated for DNP3 objects with the group number 12 and variation number 1
CROB: | control relay output block |
---|
dnp3_pcb
¶Type: | event (c: connection , is_orig: bool , control_code: count , count8: count , on_time: count , off_time: count , status_code: count ) |
---|
Generated for DNP3 objects with the group number 12 and variation number 2
PCB: | Pattern Control Block |
---|
dnp3_counter_32wFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , count_value: count ) |
---|
Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag
dnp3_counter_16wFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , count_value: count ) |
---|
Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag
dnp3_counter_32woFlag
¶Type: | event (c: connection , is_orig: bool , count_value: count ) |
---|
Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag
dnp3_counter_16woFlag
¶Type: | event (c: connection , is_orig: bool , count_value: count ) |
---|
Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag
dnp3_frozen_counter_32wFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , count_value: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag
dnp3_frozen_counter_16wFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , count_value: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag
dnp3_frozen_counter_32wFlagTime
¶Type: | event (c: connection , is_orig: bool , flag: count , count_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time
dnp3_frozen_counter_16wFlagTime
¶Type: | event (c: connection , is_orig: bool , flag: count , count_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time
dnp3_frozen_counter_32woFlag
¶Type: | event (c: connection , is_orig: bool , count_value: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag
dnp3_frozen_counter_16woFlag
¶Type: | event (c: connection , is_orig: bool , count_value: count ) |
---|
Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag
dnp3_analog_input_32wFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag
dnp3_analog_input_16wFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag
dnp3_analog_input_32woFlag
¶Type: | event (c: connection , is_orig: bool , value: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag
dnp3_analog_input_16woFlag
¶Type: | event (c: connection , is_orig: bool , value: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag
dnp3_analog_input_SPwFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag
dnp3_analog_input_DPwFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , value_low: count , value_high: count ) |
---|
Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag
dnp3_frozen_analog_input_32wFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag
dnp3_frozen_analog_input_16wFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag
dnp3_frozen_analog_input_32wTime
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze
dnp3_frozen_analog_input_16wTime
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze
dnp3_frozen_analog_input_32woFlag
¶Type: | event (c: connection , is_orig: bool , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag
dnp3_frozen_analog_input_16woFlag
¶Type: | event (c: connection , is_orig: bool , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag
dnp3_frozen_analog_input_SPwFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag
dnp3_frozen_analog_input_DPwFlag
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value_low: count , frozen_value_high: count ) |
---|
Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag
dnp3_analog_input_event_32woTime
¶Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time
dnp3_analog_input_event_16woTime
¶Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time
dnp3_analog_input_event_32wTime
¶Type: | event (c: connection , is_orig: bool , flag: count , value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time
dnp3_analog_input_event_16wTime
¶Type: | event (c: connection , is_orig: bool , flag: count , value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time
dnp3_analog_input_event_SPwoTime
¶Type: | event (c: connection , is_orig: bool , flag: count , value: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time
dnp3_analog_input_event_DPwoTime
¶Type: | event (c: connection , is_orig: bool , flag: count , value_low: count , value_high: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time
dnp3_analog_input_event_SPwTime
¶Type: | event (c: connection , is_orig: bool , flag: count , value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time
dnp3_analog_input_event_DPwTime
¶Type: | event (c: connection , is_orig: bool , flag: count , value_low: count , value_high: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precisiion float point with time
dnp3_frozen_analog_input_event_32woTime
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time
dnp3_frozen_analog_input_event_16woTime
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time
dnp3_frozen_analog_input_event_32wTime
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time
dnp3_frozen_analog_input_event_16wTime
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time
dnp3_frozen_analog_input_event_SPwoTime
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time
dnp3_frozen_analog_input_event_DPwoTime
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value_low: count , frozen_value_high: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time
dnp3_frozen_analog_input_event_SPwTime
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time
dnp3_frozen_analog_input_event_DPwTime
¶Type: | event (c: connection , is_orig: bool , flag: count , frozen_value_low: count , frozen_value_high: count , time48: count ) |
---|
Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time
dnp3_file_transport
¶Type: | event (c: connection , is_orig: bool , file_handle: count , block_num: count , file_data: string ) |
---|
g70
dnp3_debug_byte
¶Type: | event (c: connection , is_orig: bool , debug: string ) |
---|
Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.
DNS analyzer
dns_message
¶Type: | event (c: connection , is_orig: bool , msg: dns_msg , len: count ) |
---|
Generated for all DNS messages.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Is_orig: | True if the message was sent by the originator of the connection. |
Msg: | The parsed DNS message header. |
Len: | The length of the message’s raw representation (i.e., the DNS payload). |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_request
¶Type: | event (c: connection , msg: dns_msg , query: string , qtype: count , qclass: count ) |
---|
Generated for DNS requests. For requests with multiple queries, this event is raised once for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Query: | The queried name. |
Qtype: | The queried resource record type. |
Qclass: | The queried resource record class. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_rejected
¶Type: | event (c: connection , msg: dns_msg , query: string , qtype: count , qclass: count ) |
---|
Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Query: | The queried name. |
Qtype: | The queried resource record type. |
Qclass: | The queried resource record class. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_query_reply
¶Type: | event (c: connection , msg: dns_msg , query: string , qtype: count , qclass: count ) |
---|
Generated for each entry in the Question section of a DNS reply.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Query: | The queried name. |
Qtype: | The queried resource record type. |
Qclass: | The queried resource record class. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_A_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , a: addr ) |
---|
Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
A: | The address returned by the reply. |
See also: dns_AAAA_reply
, dns_A6_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_AAAA_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , a: addr ) |
---|
Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
A: | The address returned by the reply. |
See also: dns_A_reply
, dns_A6_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_A6_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , a: addr ) |
---|
Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
A: | The address returned by the reply. |
See also: dns_A_reply
, dns_AAAA_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_NS_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , name: string ) |
---|
Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Name: | The name returned by the reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_CNAME_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , name: string ) |
---|
Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Name: | The name returned by the reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_PTR_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , name: string ) |
---|
Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Name: | The name returned by the reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_SOA_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , soa: dns_soa ) |
---|
Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Soa: | The parsed SOA value. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_WKS_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer ) |
---|
Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_HINFO_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer ) |
---|
Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_MX_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , name: string , preference: count ) |
---|
Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Name: | The name returned by the reply. |
Preference: | The preference for name specified by the reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_TXT_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , strs: string_vec ) |
---|
Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Strs: | The textual information returned by the reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_CAA_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , flags: count , tag: string , value: string ) |
---|
Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Flags: | The flags byte of the CAA reply. |
Tag: | The property identifier of the CAA reply. |
Value: | The property value of the CAA reply. |
dns_SRV_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , target: string , priority: count , weight: count , p: count ) |
---|
Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Target: | Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot. |
Priority: | Priority of the SRV response – the priority of the target host, lower value means more preferred. |
Weight: | Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred. |
P: | Port of the SRV response – the TCP or UDP port on which the service is to be found. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_unknown_reply
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer ) |
---|
Generated on DNS reply resource records when the type of record is not one that Bro knows how to parse and generate another more specific event.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_SRV_reply
, dns_end
dns_EDNS_addl
¶Type: | event (c: connection , msg: dns_msg , ans: dns_edns_additional ) |
---|
Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The parsed EDNS reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_TSIG_addl
¶Type: | event (c: connection , msg: dns_msg , ans: dns_tsig_additional ) |
---|
Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The parsed TSIG reply. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_RRSIG
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , rrsig: dns_rrsig_rr ) |
---|
Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Rrsig: | The parsed RRSIG record. |
dns_DNSKEY
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , dnskey: dns_dnskey_rr ) |
---|
Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Dnskey: | The parsed DNSKEY record. |
dns_NSEC
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , next_name: string , bitmaps: string_vec ) |
---|
Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Next_name: | The parsed next secure domain name. |
Bitmaps: | vector of strings in hex for the bit maps present. |
dns_NSEC3
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , nsec3: dns_nsec3_rr ) |
---|
Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Nsec3: | The parsed RDATA of Nsec3 record. |
dns_DS
¶Type: | event (c: connection , msg: dns_msg , ans: dns_answer , ds: dns_ds_rr ) |
---|
Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
Ans: | The type-independent part of the parsed answer record. |
Ds: | The parsed RDATA of DS record. |
dns_end
¶Type: | event (c: connection , msg: dns_msg ) |
---|
Generated at the end of processing a DNS packet. This event is the last
dns_*
event that will be raised for a DNS query/reply and signals that
all resource records have been passed on.
See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
C: | The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. |
---|---|
Msg: | The parsed DNS message header. |
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_full_request
, dns_mapping_altered
, dns_mapping_lost_name
, dns_mapping_new_name
, dns_mapping_unverified
, dns_mapping_valid
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
, non_dns_request
, dns_max_queries
, dns_session_timeout
, dns_skip_addl
, dns_skip_all_addl
, dns_skip_all_auth
, dns_skip_auth
dns_full_request
¶Type: | event () |
---|
Deprecated. Will be removed.
Todo
Unclear what this event is for; it’s never raised. We should just remove it.
non_dns_request
¶Type: | event (c: connection , msg: string ) |
---|---|
Msg: | The raw DNS payload. |
Note
This event is deprecated and superseded by Bro’s dynamic protocol detection framework.
Generic file analyzer
file_transferred
¶Type: | event (c: connection , prefix: string , descr: string , mime_type: string ) |
---|
Generated when a TCP connection associated w/ file data transfer is seen (e.g. as happens w/ FTP or IRC).
C: | The connection over which file data is transferred. |
---|---|
Prefix: | Up to 1024 bytes of the file data. |
Descr: | Deprecated/unused argument. |
Mime_type: | MIME type of the file or “<unknown>” if no file magic signatures matched. |
Finger analyzer
finger_request
¶Type: | event (c: connection , full: bool , username: string , hostname: string ) |
---|
Generated for Finger requests.
See Wikipedia for more information about the Finger protocol.
C: | The connection. |
---|---|
Full: | True if verbose information is requested (/W switch). |
Username: | The request’s user name. |
Hostname: | The request’s host name. |
See also: finger_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
finger_reply
¶Type: | event (c: connection , reply_line: string ) |
---|
Generated for Finger replies.
See Wikipedia for more information about the Finger protocol.
C: | The connection. |
---|---|
Reply_line: | The reply as returned by the server |
See also: finger_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
FTP analyzer
ftp_port
¶Type: |
---|
A parsed host/port combination describing server endpoint for an upcoming data transfer.
See also: fmt_ftp_port
, parse_eftp_port
, parse_ftp_epsv
, parse_ftp_pasv
, parse_ftp_port
ftp_request
¶Type: | event (c: connection , command: string , arg: string ) |
---|
Generated for client-side FTP commands.
See Wikipedia for more information about the FTP protocol.
C: | The connection. |
---|---|
Command: | The FTP command issued by the client (without any arguments). |
Arg: | The arguments going with the command. |
See also: ftp_reply
, fmt_ftp_port
, parse_eftp_port
, parse_ftp_epsv
, parse_ftp_pasv
, parse_ftp_port
ftp_reply
¶Type: | event (c: connection , code: count , msg: string , cont_resp: bool ) |
---|
Generated for server-side FTP replies.
See Wikipedia for more information about the FTP protocol.
C: | The connection. |
---|---|
Code: | The numerical response code the server responded with. |
Msg: | The textual message of the response. |
Cont_resp: | True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further. |
See also: ftp_request
, fmt_ftp_port
, parse_eftp_port
, parse_ftp_epsv
, parse_ftp_pasv
, parse_ftp_port
parse_ftp_port
¶Type: | function (s: string ) : ftp_port |
---|
Converts a string representation of the FTP PORT command to an
ftp_port
.
S: | The string of the FTP PORT command, e.g., "10,0,0,1,4,31" . |
---|---|
Returns: | The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T] . |
See also: parse_eftp_port
, parse_ftp_pasv
, parse_ftp_epsv
, fmt_ftp_port
parse_eftp_port
¶Type: | function (s: string ) : ftp_port |
---|
Converts a string representation of the FTP EPRT command (see RFC 2428)
to an ftp_port
. The format is
"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"
,
where <d>
is a delimiter in the ASCII range 33-126 (usually |
).
S: | The string of the FTP EPRT command, e.g., "|1|10.0.0.1|1055|" . |
---|---|
Returns: | The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T] . |
See also: parse_ftp_port
, parse_ftp_pasv
, parse_ftp_epsv
, fmt_ftp_port
parse_ftp_pasv
¶Type: | function (str: string ) : ftp_port |
---|
Converts the result of the FTP PASV command to an ftp_port
.
Str: | The string containing the result of the FTP PASV command. |
---|---|
Returns: | The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T] . |
See also: parse_ftp_port
, parse_eftp_port
, parse_ftp_epsv
, fmt_ftp_port
parse_ftp_epsv
¶Type: | function (str: string ) : ftp_port |
---|
Converts the result of the FTP EPSV command (see RFC 2428) to an
ftp_port
. The format is "<text> (<d><d><d><tcp-port><d>)"
,
where <d>
is a delimiter in the ASCII range 33-126 (usually |
).
Str: | The string containing the result of the FTP EPSV command. |
---|---|
Returns: | The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T] . |
See also: parse_ftp_port
, parse_eftp_port
, parse_ftp_pasv
, fmt_ftp_port
fmt_ftp_port
¶Type: | function (a: addr , p: port ) : string |
---|
Formats an IP address and TCP port as an FTP PORT command. For example,
10.0.0.1
and 1055/tcp
yields "10,0,0,1,4,31"
.
A: | The IP address. |
---|---|
P: | The TCP port. |
Returns: | The FTP PORT string. |
See also: parse_ftp_port
, parse_eftp_port
, parse_ftp_pasv
, parse_ftp_epsv
Gnutella analyzer
gnutella_text_msg
¶Type: | event (c: connection , orig: bool , headers: string ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_binary_msg
, gnutella_establish
, gnutella_http_notify
, gnutella_not_establish
, gnutella_partial_binary_msg
, gnutella_signature_found
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
gnutella_binary_msg
¶Type: | event (c: connection , orig: bool , msg_type: count , ttl: count , hops: count , msg_len: count , payload: string , payload_len: count , trunc: bool , complete: bool ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_establish
, gnutella_http_notify
, gnutella_not_establish
, gnutella_partial_binary_msg
, gnutella_signature_found
, gnutella_text_msg
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
gnutella_partial_binary_msg
¶Type: | event (c: connection , orig: bool , msg: string , len: count ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_binary_msg
, gnutella_establish
, gnutella_http_notify
, gnutella_not_establish
, gnutella_signature_found
, gnutella_text_msg
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
gnutella_establish
¶Type: | event (c: connection ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_binary_msg
, gnutella_http_notify
, gnutella_not_establish
, gnutella_partial_binary_msg
, gnutella_signature_found
, gnutella_text_msg
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
gnutella_not_establish
¶Type: | event (c: connection ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_binary_msg
, gnutella_establish
, gnutella_http_notify
, gnutella_partial_binary_msg
, gnutella_signature_found
, gnutella_text_msg
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
gnutella_http_notify
¶Type: | event (c: connection ) |
---|
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also: gnutella_binary_msg
, gnutella_establish
, gnutella_not_establish
, gnutella_partial_binary_msg
, gnutella_signature_found
, gnutella_text_msg
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
GSSAPI analyzer
gssapi_neg_result
¶Type: | event (c: connection , state: count ) |
---|
Generated for GSSAPI negotiation results.
C: | The connection. |
---|---|
State: | The resulting state of the negotiation. |
GTPv1 analyzer
gtpv1_message
¶Type: | event (c: connection , hdr: gtpv1_hdr ) |
---|
Generated for any GTP message with a GTPv1 header.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
gtpv1_g_pdu_packet
¶Type: | event (outer: connection , inner_gtp: gtpv1_hdr , inner_ip: pkt_hdr ) |
---|
Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.
Outer: | The GTP outer tunnel connection. |
---|---|
Inner_gtp: | The GTP header. |
Inner_ip: | The inner IP and transport layer packet headers. |
Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
gtpv1_create_pdp_ctx_request
¶Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_create_pdp_ctx_request_elements ) |
---|
Generated for GTPv1-C Create PDP Context Request messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
gtpv1_create_pdp_ctx_response
¶Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_create_pdp_ctx_response_elements ) |
---|
Generated for GTPv1-C Create PDP Context Response messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
gtpv1_update_pdp_ctx_request
¶Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_update_pdp_ctx_request_elements ) |
---|
Generated for GTPv1-C Update PDP Context Request messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
gtpv1_update_pdp_ctx_response
¶Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_update_pdp_ctx_response_elements ) |
---|
Generated for GTPv1-C Update PDP Context Response messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
gtpv1_delete_pdp_ctx_request
¶Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_delete_pdp_ctx_request_elements ) |
---|
Generated for GTPv1-C Delete PDP Context Request messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
gtpv1_delete_pdp_ctx_response
¶Type: | event (c: connection , hdr: gtpv1_hdr , elements: gtp_delete_pdp_ctx_response_elements ) |
---|
Generated for GTPv1-C Delete PDP Context Response messages.
C: | The connection over which the message is sent. |
---|---|
Hdr: | The GTPv1 header. |
Elements: | The set of Information Elements comprising the message. |
HTTP analyzer
http_request
¶Type: | event (c: connection , method: string , original_URI: string , unescaped_URI: string , version: string ) |
---|
Generated for HTTP requests. Bro supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues. This event is generated as soon as a request’s initial line has
been parsed, and before any http_header
events are raised.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Method: | The HTTP method extracted from the request (e.g., GET , POST ). |
Original_URI: | The unprocessed URI as specified in the request. |
Unescaped_URI: | The URI with all percent-encodings decoded. |
Version: | The version number specified in the request (e.g., 1.1 ). |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_stats
, truncate_http_URI
, http_connection_upgrade
http_reply
¶Type: | event (c: connection , version: string , code: count , reason: string ) |
---|
Generated for HTTP replies. Bro supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues. This event is generated as soon as a reply’s initial line has
been parsed, and before any http_header
events are raised.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Version: | The version number specified in the reply (e.g., 1.1 ). |
Code: | The numerical response code returned by the server. |
Reason: | The textual description returned by the server along with code. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_request
, http_stats
, http_connection_upgrade
http_header
¶Type: | event (c: connection , is_orig: bool , name: string , value: string ) |
---|
Generated for HTTP headers. Bro supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the header was sent by the originator of the TCP connection. |
Name: | The name of the header. |
Value: | The value of the header. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_message_done
, http_reply
, http_request
, http_stats
, http_connection_upgrade
Note
This event is also raised for headers found in nested body entities.
http_all_headers
¶Type: | event (c: connection , is_orig: bool , hlist: mime_header_list ) |
---|
Generated for HTTP headers, passing on all headers of an HTTP message at once. Bro supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the header was sent by the originator of the TCP connection. |
Hlist: | A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.). |
See also: http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
, http_connection_upgrade
Note
This event is also raised for headers found in nested body entities.
http_begin_entity
¶Type: | event (c: connection , is_orig: bool ) |
---|
Generated when starting to parse an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Bro raises this event just before it starts parsing each entity’s content.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the entity was sent by the originator of the TCP connection. |
See also: http_all_headers
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
, mime_begin_entity
, http_connection_upgrade
http_end_entity
¶Type: | event (c: connection , is_orig: bool ) |
---|
Generated when finishing parsing an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Bro raises this event at the point when it has finished parsing an entity’s content.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the entity was sent by the originator of the TCP connection. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
, mime_end_entity
, http_connection_upgrade
http_entity_data
¶Type: | event (c: connection , is_orig: bool , length: count , data: string ) |
---|
Generated when parsing an HTTP body entity, passing on the data. This event can potentially be raised many times for each entity, each time passing a chunk of the data of not further defined size.
A common idiom for using this event is to first reassemble the data
at the scripting layer by concatenating it to a successively growing
string; and only perform further content analysis once the corresponding
http_end_entity
event has been raised. Note, however, that doing so
can be quite expensive for HTTP tranders. At the very least, one should
impose an upper size limit on how much data is being buffered.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the entity was sent by the originator of the TCP connection. |
Length: | The length of data. |
Data: | One chunk of raw entity data. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_event
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
, mime_entity_data
, http_entity_data_delivery_size
, skip_http_data
, http_connection_upgrade
http_content_type
¶Type: | event (c: connection , is_orig: bool , ty: string , subty: string ) |
---|
Generated for reporting an HTTP body’s content type. This event is
generated at the end of parsing an HTTP header, passing on the MIME
type as specified by the Content-Type
header. If that header is
missing, this event is still raised with a default value of text/plain
.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the entity was sent by the originator of the TCP connection. |
Ty: | The main type. |
Subty: | The subtype. |
See also: http_all_headers
, http_begin_entity
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
, http_connection_upgrade
Note
This event is also raised for headers found in nested body entities.
http_message_done
¶Type: | event (c: connection , is_orig: bool , stat: http_message_stat ) |
---|
Generated once at the end of parsing an HTTP message. Bro supports persistent
and pipelined HTTP sessions and raises corresponding events as it parses
client/server dialogues. A “message” is one top-level HTTP entity, such as a
complete request or reply. Each message can have further nested sub-entities
inside. This event is raised once all sub-entities belonging to a top-level
message have been processed (and their corresponding http_entity_*
events
generated).
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Is_orig: | True if the entity was sent by the originator of the TCP connection. |
Stat: | Further meta information about the message. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_reply
, http_request
, http_stats
, http_connection_upgrade
http_event
¶Type: | event (c: connection , event_type: string , detail: string ) |
---|
Generated for errors found when decoding HTTP requests or replies.
See Wikipedia for more information about the HTTP protocol.
C: | The connection. |
---|---|
Event_type: | A string describing the general category of the problem found
(e.g., illegal format ). |
Detail: | Further more detailed description of the error. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_header
, http_message_done
, http_reply
, http_request
, http_stats
, mime_event
, http_connection_upgrade
http_stats
¶Type: | event (c: connection , stats: http_stats_rec ) |
---|
Generated at the end of an HTTP session to report statistics about it. This event is raised after all of an HTTP session’s requests and replies have been fully processed.
C: | The connection. |
---|---|
Stats: | Statistics summarizing HTTP-level properties of the finished connection. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_request
, http_connection_upgrade
http_connection_upgrade
¶Type: | event (c: connection , protocol: string ) |
---|
Generated when a HTTP session is upgraded to a different protocol (e.g. websocket). This event is raised when a server replies with a HTTP 101 reply. No more HTTP events will be raised after this event.
C: | The connection. |
---|---|
Protocol: | The protocol to which the connection is switching. |
See also: http_all_headers
, http_begin_entity
, http_content_type
, http_end_entity
, http_entity_data
, http_event
, http_header
, http_message_done
, http_reply
, http_request
skip_http_entity_data
¶Type: | function (c: connection , is_orig: bool ) : any |
---|
Skips the data of the HTTP entity.
C: | The HTTP connection. |
---|---|
Is_orig: | If true, the client data is skipped, and the server data otherwise. |
See also: skip_smtp_data
unescape_URI
¶Type: | function (URI: string ) : string |
---|
Unescapes all characters in a URI (decode every %xx
group).
URI: | The URI to unescape. |
---|---|
Returns: | The unescaped URI with all %xx groups decoded. |
Note
Unescaping reserved characters may cause loss of information. RFC 2396: A URI is always in an “escaped” form, since escaping or unescaping a completed URI might change its semantics. Normally, the only time escape encodings can safely be made is when the URI is being created from its component parts.
ICMP analyzer
icmp_sent
¶Type: | event (c: connection , icmp: icmp_conn ) |
---|
Generated for all ICMP messages that are not handled separately with dedicated ICMP events. Bro’s ICMP analyzer handles a number of ICMP messages directly with dedicated events. This event acts as a fallback for those it doesn’t.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
See also: icmp_error_message
, icmp_sent_payload
icmp_sent_payload
¶Type: | event (c: connection , icmp: icmp_conn , payload: string ) |
---|
The same as icmp_sent
except containing the ICMP payload.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Payload: | The payload of the ICMP message. |
See also: icmp_error_message
, icmp_sent_payload
icmp_echo_request
¶Type: | event (c: connection , icmp: icmp_conn , id: count , seq: count , payload: string ) |
---|
Generated for ICMP echo request messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Id: | The echo request identifier. |
Seq: | The echo request sequence number. |
Payload: | The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header. |
See also: icmp_echo_reply
icmp_echo_reply
¶Type: | event (c: connection , icmp: icmp_conn , id: count , seq: count , payload: string ) |
---|
Generated for ICMP echo reply messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Id: | The echo reply identifier. |
Seq: | The echo reply sequence number. |
Payload: | The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header. |
See also: icmp_echo_request
icmp_error_message
¶Type: | event (c: connection , icmp: icmp_conn , code: count , context: icmp_context ) |
---|
Generated for all ICMPv6 error messages that are not handled separately with dedicated events. Bro’s ICMP analyzer handles a number of ICMP error messages directly with dedicated events. This event acts as a fallback for those it doesn’t.
See Wikipedia for more information about the ICMPv6 protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Code: | The ICMP code of the error message. |
Context: | A record with specifics of the original packet that the message refers to. |
See also: icmp_unreachable
, icmp_packet_too_big
, icmp_time_exceeded
, icmp_parameter_problem
icmp_unreachable
¶Type: | event (c: connection , icmp: icmp_conn , code: count , context: icmp_context ) |
---|
Generated for ICMP destination unreachable messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Code: | The ICMP code of the unreachable message. |
Context: | A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the unreachable includes only a partial IP header for some reason, no fields of context will be filled out. |
See also: icmp_error_message
, icmp_packet_too_big
, icmp_time_exceeded
, icmp_parameter_problem
icmp_packet_too_big
¶Type: | event (c: connection , icmp: icmp_conn , code: count , context: icmp_context ) |
---|
Generated for ICMPv6 packet too big messages.
See Wikipedia for more information about the ICMPv6 protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Code: | The ICMP code of the too big message. |
Context: | A record with specifics of the original packet that the message refers to. Too big messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the too big includes only a partial IP header for some reason, no fields of context will be filled out. |
See also: icmp_error_message
, icmp_unreachable
, icmp_time_exceeded
, icmp_parameter_problem
icmp_time_exceeded
¶Type: | event (c: connection , icmp: icmp_conn , code: count , context: icmp_context ) |
---|
Generated for ICMP time exceeded messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Code: | The ICMP code of the exceeded message. |
Context: | A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the exceeded includes only a partial IP header for some reason, no fields of context will be filled out. |
See also: icmp_error_message
, icmp_unreachable
, icmp_packet_too_big
, icmp_parameter_problem
icmp_parameter_problem
¶Type: | event (c: connection , icmp: icmp_conn , code: count , context: icmp_context ) |
---|
Generated for ICMPv6 parameter problem messages.
See Wikipedia for more information about the ICMPv6 protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Code: | The ICMP code of the parameter problem message. |
Context: | A record with specifics of the original packet that the message refers to. Parameter problem messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the parameter problem includes only a partial IP header for some reason, no fields of context will be filled out. |
See also: icmp_error_message
, icmp_unreachable
, icmp_packet_too_big
, icmp_time_exceeded
icmp_router_solicitation
¶Type: | event (c: connection , icmp: icmp_conn , options: icmp6_nd_options ) |
---|
Generated for ICMP router solicitation messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Options: | Any Neighbor Discovery options included with message (RFC 4861). |
See also: icmp_router_advertisement
, icmp_neighbor_solicitation
, icmp_neighbor_advertisement
, icmp_redirect
icmp_router_advertisement
¶Type: | event (c: connection , icmp: icmp_conn , cur_hop_limit: count , managed: bool , other: bool , home_agent: bool , pref: count , proxy: bool , rsv: count , router_lifetime: interval , reachable_time: interval , retrans_timer: interval , options: icmp6_nd_options ) |
---|
Generated for ICMP router advertisement messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Cur_hop_limit: | The default value that should be placed in Hop Count field for outgoing IP packets. |
Managed: | Managed address configuration flag, RFC 4861. |
Other: | Other stateful configuration flag, RFC 4861. |
Home_agent: | Mobile IPv6 home agent flag, RFC 3775. |
Pref: | Router selection preferences, RFC 4191. |
Proxy: | Neighbor discovery proxy flag, RFC 4389. |
Rsv: | Remaining two reserved bits of router advertisement flags. |
Router_lifetime: | |
How long this router should be used as a default router. | |
Reachable_time: | How long a neighbor should be considered reachable. |
Retrans_timer: | How long a host should wait before retransmitting. |
Options: | Any Neighbor Discovery options included with message (RFC 4861). |
See also: icmp_router_solicitation
, icmp_neighbor_solicitation
, icmp_neighbor_advertisement
, icmp_redirect
icmp_neighbor_solicitation
¶Type: | event (c: connection , icmp: icmp_conn , tgt: addr , options: icmp6_nd_options ) |
---|
Generated for ICMP neighbor solicitation messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Tgt: | The IP address of the target of the solicitation. |
Options: | Any Neighbor Discovery options included with message (RFC 4861). |
See also: icmp_router_solicitation
, icmp_router_advertisement
, icmp_neighbor_advertisement
, icmp_redirect
icmp_neighbor_advertisement
¶Type: | event (c: connection , icmp: icmp_conn , router: bool , solicited: bool , override: bool , tgt: addr , options: icmp6_nd_options ) |
---|
Generated for ICMP neighbor advertisement messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Router: | Flag indicating the sender is a router. |
Solicited: | Flag indicating advertisement is in response to a solicitation. |
Override: | Flag indicating advertisement should override existing caches. |
Tgt: | the Target Address in the soliciting message or the address whose link-layer address has changed for unsolicited adverts. |
Options: | Any Neighbor Discovery options included with message (RFC 4861). |
See also: icmp_router_solicitation
, icmp_router_advertisement
, icmp_neighbor_solicitation
, icmp_redirect
icmp_redirect
¶Type: | event (c: connection , icmp: icmp_conn , tgt: addr , dest: addr , options: icmp6_nd_options ) |
---|
Generated for ICMP redirect messages.
See Wikipedia for more information about the ICMP protocol.
C: | The connection record for the corresponding ICMP flow. |
---|---|
Icmp: | Additional ICMP-specific information augmenting the standard connection record c. |
Tgt: | The address that is supposed to be a better first hop to use for ICMP Destination Address. |
Dest: | The address of the destination which is redirected to the target. |
Options: | Any Neighbor Discovery options included with message (RFC 4861). |
See also: icmp_router_solicitation
, icmp_router_advertisement
, icmp_neighbor_solicitation
, icmp_neighbor_advertisement
Ident analyzer
ident_request
¶Type: | event (c: connection , lport: port , rport: port ) |
---|
Generated for Ident requests.
See Wikipedia for more information about the Ident protocol.
C: | The connection. |
---|---|
Lport: | The request’s local port. |
Rport: | The request’s remote port. |
See also: ident_error
, ident_reply
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
ident_reply
¶Type: | event (c: connection , lport: port , rport: port , user_id: string , system: string ) |
---|
Generated for Ident replies.
See Wikipedia for more information about the Ident protocol.
C: | The connection. |
---|---|
Lport: | The corresponding request’s local port. |
Rport: | The corresponding request’s remote port. |
User_id: | The user id returned by the reply. |
System: | The operating system returned by the reply. |
See also: ident_error
, ident_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
ident_error
¶Type: | event (c: connection , lport: port , rport: port , line: string ) |
---|
Generated for Ident error replies.
See Wikipedia for more information about the Ident protocol.
C: | The connection. |
---|---|
Lport: | The corresponding request’s local port. |
Rport: | The corresponding request’s remote port. |
Line: | The error description returned by the reply. |
See also: ident_reply
, ident_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
IMAP analyzer (StartTLS only)
imap_capabilities
¶Type: | event (c: connection , capabilities: string_vec ) |
---|
Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command.
C: | The connection. |
---|---|
Capabilities: | The list of IMAP capabilities as sent by the server. |
imap_starttls
¶Type: | event (c: connection ) |
---|
Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server.
C: | The connection. |
---|
InterConn analyzer deprecated
interconn_stats
¶Type: | event (c: connection , os: interconn_endp_stats , rs: interconn_endp_stats ) |
---|
Deprecated. Will be removed.
interconn_remove_conn
¶Type: | event (c: connection ) |
---|
Deprecated. Will be removed.
IRC analyzer
irc_request
¶Type: | event (c: connection , is_orig: bool , prefix: string , command: string , arguments: string ) |
---|
Generated for all client-side IRC commands.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | Always true. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Command: | The command. |
Arguments: | The arguments for the command. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
Note
This event is generated only for messages that originate
at the client-side. Commands coming in from remote trigger
the irc_message
event instead.
irc_reply
¶Type: | event (c: connection , is_orig: bool , prefix: string , code: count , params: string ) |
---|
Generated for all IRC replies. IRC replies are sent in response to a request and come with a reply code.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the reply. IRC uses the prefix to indicate the true origin of a message. |
Code: | The reply code, as specified by the protocol. |
Params: | The reply’s parameters. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_message
¶Type: | event (c: connection , is_orig: bool , prefix: string , command: string , message: string ) |
---|
Generated for IRC commands forwarded from the server to the client.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | Always false. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Command: | The command. |
Message: | TODO. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
Note
This event is generated only for messages that are forwarded by the server
to the client. Commands coming from client trigger the
irc_request
event instead.
irc_quit_message
¶Type: | event (c: connection , is_orig: bool , nick: string , message: string ) |
---|
Generated for IRC messages of type quit. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Nick: | The nickname coming with the message. |
Message: | The text included with the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_privmsg_message
¶Type: | event (c: connection , is_orig: bool , source: string , target: string , message: string ) |
---|
Generated for IRC messages of type privmsg. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Source: | The source of the private communication. |
Target: | The target of the private communication. |
Message: | The text of communication. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_notice_message
¶Type: | event (c: connection , is_orig: bool , source: string , target: string , message: string ) |
---|
Generated for IRC messages of type notice. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Source: | The source of the private communication. |
Target: | The target of the private communication. |
Message: | The text of communication. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_squery_message
¶Type: | event (c: connection , is_orig: bool , source: string , target: string , message: string ) |
---|
Generated for IRC messages of type squery. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Source: | The source of the private communication. |
Target: | The target of the private communication. |
Message: | The text of communication. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_join_message
¶Type: | event (c: connection , is_orig: bool , info_list: irc_join_list ) |
---|
Generated for IRC messages of type join. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Info_list: | The user information coming with the command. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_part_message
¶Type: | event (c: connection , is_orig: bool , nick: string , chans: string_set , message: string ) |
---|
Generated for IRC messages of type part. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Nick: | The nickname coming with the message. |
Chans: | The set of channels affected. |
Message: | The text coming with the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_password_message
irc_nick_message
¶Type: | event (c: connection , is_orig: bool , who: string , newnick: string ) |
---|
Generated for IRC messages of type nick. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Who: | The user changing its nickname. |
Newnick: | The new nickname. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_invalid_nick
¶Type: | event (c: connection , is_orig: bool ) |
---|
Generated when a server rejects an IRC nickname.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_network_info
¶Type: | event (c: connection , is_orig: bool , users: count , services: count , servers: count ) |
---|
Generated for an IRC reply of type luserclient.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Users: | The number of users as returned in the reply. |
Services: | The number of services as returned in the reply. |
Servers: | The number of servers as returned in the reply. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_server_info
¶Type: | event (c: connection , is_orig: bool , users: count , services: count , servers: count ) |
---|
Generated for an IRC reply of type luserme.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Users: | The number of users as returned in the reply. |
Services: | The number of services as returned in the reply. |
Servers: | The number of servers as returned in the reply. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_channel_info
¶Type: | event (c: connection , is_orig: bool , chans: count ) |
---|
Generated for an IRC reply of type luserchannels.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Chans: | The number of channels as returned in the reply. |
See also: irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_who_line
¶Type: | event (c: connection , is_orig: bool , target_nick: string , channel: string , user: string , host: string , server: string , nick: string , params: string , hops: count , real_name: string ) |
---|
Generated for an IRC reply of type whoreply.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Target_nick: | The target nickname. |
Channel: | The channel. |
User: | The user. |
Host: | The host. |
Server: | The server. |
Nick: | The nickname. |
Params: | The parameters. |
Hops: | The hop count. |
Real_name: | The real name. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_names_info
¶Type: | event (c: connection , is_orig: bool , c_type: string , channel: string , users: string_set ) |
---|
Generated for an IRC reply of type namereply.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
C_type: | The channel type. |
Channel: | The channel. |
Users: | The set of users. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_whois_operator_line
¶Type: | event (c: connection , is_orig: bool , nick: string ) |
---|
Generated for an IRC reply of type whoisoperator.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Nick: | The nickname specified in the reply. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_whois_channel_line
¶Type: | event (c: connection , is_orig: bool , nick: string , chans: string_set ) |
---|
Generated for an IRC reply of type whoischannels.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Nick: | The nickname specified in the reply. |
Chans: | The set of channels returned. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_whois_user_line
¶Type: | event (c: connection , is_orig: bool , nick: string , user: string , host: string , real_name: string ) |
---|
Generated for an IRC reply of type whoisuser.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Nick: | The nickname specified in the reply. |
User: | The user name specified in the reply. |
Host: | The host name specified in the reply. |
Real_name: | The real name specified in the reply. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_oper_response
¶Type: | event (c: connection , is_orig: bool , got_oper: bool ) |
---|
Generated for IRC replies of type youreoper and nooperhost.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Got_oper: | True if the oper command was executed successfully (youreport) and false otherwise (nooperhost). |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_part_message
, irc_password_message
irc_global_users
¶Type: | event (c: connection , is_orig: bool , prefix: string , msg: string ) |
---|
Generated for an IRC reply of type globalusers.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Msg: | The message coming with the reply. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_channel_topic
¶Type: | event (c: connection , is_orig: bool , channel: string , topic: string ) |
---|
Generated for an IRC reply of type topic.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Channel: | The channel name specified in the reply. |
Topic: | The topic specified in the reply. |
See also: irc_channel_info
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_who_message
¶Type: | event (c: connection , is_orig: bool , mask: string , oper: bool ) |
---|
Generated for IRC messages of type who. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Mask: | The mask specified in the message. |
Oper: | True if the operator flag was set. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_whois_message
¶Type: | event (c: connection , is_orig: bool , server: string , users: string ) |
---|
Generated for IRC messages of type whois. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Server: | TODO. |
Users: | TODO. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_oper_message
¶Type: | event (c: connection , is_orig: bool , user: string , password: string ) |
---|
Generated for IRC messages of type oper. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
User: | The user specified in the message. |
Password: | The password specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_kick_message
¶Type: | event (c: connection , is_orig: bool , prefix: string , chans: string , users: string , comment: string ) |
---|
Generated for IRC messages of type kick. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Chans: | The channels specified in the message. |
Users: | The users specified in the message. |
Comment: | The comment specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_error_message
¶Type: | event (c: connection , is_orig: bool , prefix: string , message: string ) |
---|
Generated for IRC messages of type error. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Message: | The textual description specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_invite_message
¶Type: | event (c: connection , is_orig: bool , prefix: string , nickname: string , channel: string ) |
---|
Generated for IRC messages of type invite. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Nickname: | The nickname specified in the message. |
Channel: | The channel specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_mode_message
¶Type: | event (c: connection , is_orig: bool , prefix: string , params: string ) |
---|
Generated for IRC messages of type mode. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Params: | The parameters coming with the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_squit_message
¶Type: | event (c: connection , is_orig: bool , prefix: string , server: string , message: string ) |
---|
Generated for IRC messages of type squit. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Server: | The server specified in the message. |
Message: | The textual description specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_dcc_message
¶Type: | event (c: connection , is_orig: bool , prefix: string , target: string , dcc_type: string , argument: string , address: addr , dest_port: count , size: count ) |
---|
Generated for IRC messages of type dcc. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Prefix: | The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. |
Target: | The target specified in the message. |
Dcc_type: | The DCC type specified in the message. |
Argument: | The argument specified in the message. |
Address: | The address specified in the message. |
Dest_port: | The destination port specified in the message. |
Size: | The size specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_user_message
¶Type: | event (c: connection , is_orig: bool , user: string , host: string , server: string , real_name: string ) |
---|
Generated for IRC messages of type user. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
User: | The user specified in the message. |
Host: | The host name specified in the message. |
Server: | The server name specified in the message. |
Real_name: | The real name specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
, irc_password_message
irc_password_message
¶Type: | event (c: connection , is_orig: bool , password: string ) |
---|
Generated for IRC messages of type password. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Password: | The password specified in the message. |
See also: irc_channel_info
, irc_channel_topic
, irc_dcc_message
, irc_error_message
, irc_global_users
, irc_invalid_nick
, irc_invite_message
, irc_join_message
, irc_kick_message
, irc_message
, irc_mode_message
, irc_names_info
, irc_network_info
, irc_nick_message
, irc_notice_message
, irc_oper_message
, irc_oper_response
, irc_part_message
irc_starttls
¶Type: | event (c: connection ) |
---|
Generated if an IRC connection switched to TLS using STARTTLS. After this event no more IRC events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.
C: | The connection. |
---|
Kerberos analyzer
KRB::Error_Msg
¶Type: |
|
---|
The data from the ERROR_MSG message. See RFC 4120.
KRB::SAFE_Msg
¶Type: |
|
---|
The data from the SAFE message. See RFC 4120.
KRB::KDC_Options
¶Type: |
|
---|
KDC Options. See RFC 4120
KRB::Type_Value
¶Type: |
---|
Used in a few places in the Kerberos analyzer for elements that have a type and a string value.
KRB::Ticket_Vector
¶Type: | vector of KRB::Ticket |
---|
KRB::KDC_Request
¶Type: |
|
---|
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
KRB::KDC_Response
¶Type: |
|
---|
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
krb_as_request
¶Type: | event (c: connection , msg: KRB::KDC_Request ) |
---|
A Kerberos 5 Authentication Server (AS) Request
as defined
in RFC 4120. The AS request contains a username of the client
requesting authentication, and returns an AS reply with an
encrypted Ticket Granting Ticket (TGT) for that user. The TGT
can then be used to request further tickets for other services.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Msg: | A Kerberos KDC request message data structure. |
See also: krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_as_response
¶Type: | event (c: connection , msg: KRB::KDC_Response ) |
---|
A Kerberos 5 Authentication Server (AS) Response
as defined
in RFC 4120. Following the AS request for a user, an AS reply
contains an encrypted Ticket Granting Ticket (TGT) for that user.
The TGT can then be used to request further tickets for other services.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Msg: | A Kerberos KDC reply message data structure. |
See also: krb_as_request
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_tgs_request
¶Type: | event (c: connection , msg: KRB::KDC_Request ) |
---|
A Kerberos 5 Ticket Granting Service (TGS) Request
as defined
in RFC 4120. Following the Authentication Server exchange, if
successful, the client now has a Ticket Granting Ticket (TGT). To
authenticate to a Kerberized service, the client requests a Service
Ticket, which will be returned in the TGS reply.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Msg: | A Kerberos KDC request message data structure. |
See also: krb_as_request
, krb_as_response
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_tgs_response
¶Type: | event (c: connection , msg: KRB::KDC_Response ) |
---|
A Kerberos 5 Ticket Granting Service (TGS) Response
as defined
in RFC 4120. This message returns a Service Ticket to the client,
which is encrypted with the service’s long-term key, and which the
client can use to authenticate to that service.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Msg: | A Kerberos KDC reply message data structure. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_ap_request
¶Type: | event (c: connection , ticket: KRB::Ticket , opts: KRB::AP_Options ) |
---|
A Kerberos 5 Authentication Header (AP) Request
as defined
in RFC 4120. This message contains authentication information
that should be part of the first message in an authenticated
transaction.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Ticket: | The Kerberos ticket being used for authentication. |
Opts: | A Kerberos AP options data structure. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_ap_response
¶Type: | event (c: connection ) |
---|
A Kerberos 5 Authentication Header (AP) Response
as defined
in RFC 4120. This is used if mutual authentication is desired.
All of the interesting information in here is encrypted, so the event
doesn’t have much useful data, but it’s provided in case it’s important
to know that this message was sent.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_priv
, krb_safe
, krb_cred
, krb_error
krb_priv
¶Type: | event (c: connection , is_orig: bool ) |
---|
A Kerberos 5 Private Message
as defined in RFC 4120. This
is a private (encrypted) application message, so the event doesn’t
have much useful data, but it’s provided in case it’s important to
know that this message was sent.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Is_orig: | Whether the originator of the connection sent this message. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_safe
, krb_cred
, krb_error
krb_safe
¶Type: | event (c: connection , is_orig: bool , msg: KRB::SAFE_Msg ) |
---|
A Kerberos 5 Safe Message
as defined in RFC 4120. This is a
safe (checksummed) application message.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Is_orig: | Whether the originator of the connection sent this message. |
Msg: | A Kerberos SAFE message data structure. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_cred
, krb_error
krb_cred
¶Type: | event (c: connection , is_orig: bool , tickets: KRB::Ticket_Vector ) |
---|
A Kerberos 5 Credential Message
as defined in RFC 4120. This is
a private (encrypted) message to forward credentials.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Is_orig: | Whether the originator of the connection sent this message. |
Tickets: | Tickets obtained from the KDC that are being forwarded. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_error
krb_error
¶Type: | event (c: connection , msg: KRB::Error_Msg ) |
---|
A Kerberos 5 Error Message
as defined in RFC 4120.
See Wikipedia for more information about the Kerberos protocol.
C: | The connection over which this Kerberos message was sent. |
---|---|
Msg: | A Kerberos error message data structure. |
See also: krb_as_request
, krb_as_response
, krb_tgs_request
, krb_tgs_response
, krb_ap_request
, krb_ap_response
, krb_priv
, krb_safe
, krb_cred
Telnet/Rsh/Rlogin analyzers
rsh_request
¶Type: | event (c: connection , client_user: string , server_user: string , line: string , new_session: bool ) |
---|
Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
C: | The connection. |
---|---|
Client_user: | The client-side user name as sent in the initial protocol handshake. |
Server_user: | The server-side user name as sent in the initial protocol handshake. |
Line: | The command line sent in the request. |
New_session: | True if this is the first command of the Rsh session. |
See also: rsh_reply
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Note
For historical reasons, these events are separate from the
login_
events. Ideally, they would all be handled uniquely.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
rsh_reply
¶Type: | event (c: connection , client_user: string , server_user: string , line: string ) |
---|
Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
C: | The connection. |
---|---|
Client_user: | The client-side user name as sent in the initial protocol handshake. |
Server_user: | The server-side user name as sent in the initial protocol handshake. |
Line: | The command line sent in the request. |
See also: rsh_request
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Note
For historical reasons, these events are separate from the
login_
events. Ideally, they would all be handled uniquely.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
login_failure
¶Type: | event (c: connection , user: string , client_user: string , password: string , line: string ) |
---|
Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.
C: | The connection. |
---|---|
User: | The user name tried. |
Client_user: | For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts). |
Password: | The password tried. |
Line: | The line of text that led the analyzer to conclude that the authentication had failed. |
See also: login_confused
, login_confused_text
, login_display
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_success
¶Type: | event (c: connection , user: string , client_user: string , password: string , line: string ) |
---|
Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.
C: | The connection. |
---|---|
User: | The user name used. |
Client_user: | For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts). |
Password: | The password used. |
Line: | The line of text that led the analyzer to conclude that the authentication had succeeded. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_terminal
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_input_line
¶Type: | event (c: connection , line: string ) |
---|
Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
C: | The connection. |
---|---|
Line: | The input line. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_output_line
, login_prompt
, login_success
, login_terminal
, rsh_request
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_output_line
¶Type: | event (c: connection , line: string ) |
---|
Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
C: | The connection. |
---|---|
Line: | The ouput line. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_prompt
, login_success
, login_terminal
, rsh_reply
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_confused
¶Type: | event (c: connection , msg: string , line: string ) |
---|
Generated when tracking of Telnet/Rlogin authentication failed. As Bro’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.
C: | The connection. |
---|---|
Msg: | Gives the particular problem the heuristics detected (for example,
multiple_login_prompts means that the engine saw several login
prompts in a row, without the type-ahead from the client side presumed
necessary to cause them) |
Line: | The line of text that caused the heuristics to conclude they were confused. |
See also: login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_confused_text
¶Type: | event (c: connection , line: string ) |
---|
Generated after getting confused while tracking a Telnet/Rlogin
authentication dialog. The login analyzer generates this even for every
line of user input after it has reported login_confused
for a
connection.
C: | The connection. |
---|---|
Line: | The line the user typed. |
See also: login_confused
, login_display
, login_failure
, login_input_line
, login_output_line
,