Protocol Analyzers

Analyzer::Tag
Type:

enum

Analyzer::ANALYZER_AYIYA
Analyzer::ANALYZER_BACKDOOR
Analyzer::ANALYZER_BITTORRENT
Analyzer::ANALYZER_BITTORRENTTRACKER
Analyzer::ANALYZER_CONNSIZE
Analyzer::ANALYZER_DCE_RPC
Analyzer::ANALYZER_DHCP
Analyzer::ANALYZER_DNP3_TCP
Analyzer::ANALYZER_DNP3_UDP
Analyzer::ANALYZER_CONTENTS_DNS
Analyzer::ANALYZER_DNS
Analyzer::ANALYZER_FTP_DATA
Analyzer::ANALYZER_IRC_DATA
Analyzer::ANALYZER_FINGER
Analyzer::ANALYZER_FTP
Analyzer::ANALYZER_FTP_ADAT
Analyzer::ANALYZER_GNUTELLA
Analyzer::ANALYZER_GSSAPI
Analyzer::ANALYZER_GTPV1
Analyzer::ANALYZER_HTTP
Analyzer::ANALYZER_ICMP
Analyzer::ANALYZER_IDENT
Analyzer::ANALYZER_IMAP
Analyzer::ANALYZER_INTERCONN
Analyzer::ANALYZER_IRC
Analyzer::ANALYZER_KRB
Analyzer::ANALYZER_KRB_TCP
Analyzer::ANALYZER_CONTENTS_RLOGIN
Analyzer::ANALYZER_CONTENTS_RSH
Analyzer::ANALYZER_LOGIN
Analyzer::ANALYZER_NVT
Analyzer::ANALYZER_RLOGIN
Analyzer::ANALYZER_RSH
Analyzer::ANALYZER_TELNET
Analyzer::ANALYZER_MODBUS
Analyzer::ANALYZER_MYSQL
Analyzer::ANALYZER_CONTENTS_NCP
Analyzer::ANALYZER_NCP
Analyzer::ANALYZER_CONTENTS_NETBIOSSSN
Analyzer::ANALYZER_NETBIOSSSN
Analyzer::ANALYZER_NTLM
Analyzer::ANALYZER_NTP
Analyzer::ANALYZER_PIA_TCP
Analyzer::ANALYZER_PIA_UDP
Analyzer::ANALYZER_POP3
Analyzer::ANALYZER_RADIUS
Analyzer::ANALYZER_RDP
Analyzer::ANALYZER_RFB
Analyzer::ANALYZER_CONTENTS_NFS
Analyzer::ANALYZER_CONTENTS_RPC
Analyzer::ANALYZER_MOUNT
Analyzer::ANALYZER_NFS
Analyzer::ANALYZER_PORTMAPPER
Analyzer::ANALYZER_SIP
Analyzer::ANALYZER_CONTENTS_SMB
Analyzer::ANALYZER_SMB
Analyzer::ANALYZER_SMTP
Analyzer::ANALYZER_SNMP
Analyzer::ANALYZER_SOCKS
Analyzer::ANALYZER_SSH
Analyzer::ANALYZER_DTLS
Analyzer::ANALYZER_SSL
Analyzer::ANALYZER_STEPPINGSTONE
Analyzer::ANALYZER_SYSLOG
Analyzer::ANALYZER_CONTENTLINE
Analyzer::ANALYZER_CONTENTS
Analyzer::ANALYZER_TCP
Analyzer::ANALYZER_TCPSTATS
Analyzer::ANALYZER_TEREDO
Analyzer::ANALYZER_UDP
Analyzer::ANALYZER_XMPP
Analyzer::ANALYZER_ZIP

Bro::ARP

ARP Parsing

Components

Events

arp_request
Type:event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP requests.

See Wikipedia for more information about the ARP protocol.

Mac_src:The request’s source MAC address.
Mac_dst:The request’s destination MAC address.
SPA:The sender protocol address.
SHA:The sender hardware address.
TPA:The target protocol address.
THA:The target hardware address.

See also: arp_reply, bad_arp

arp_reply
Type:event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP replies.

See Wikipedia for more information about the ARP protocol.

Mac_src:The reply’s source MAC address.
Mac_dst:The reply’s destination MAC address.
SPA:The sender protocol address.
SHA:The sender hardware address.
TPA:The target protocol address.
THA:The target hardware address.

See also: arp_request, bad_arp

bad_arp
Type:event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)

Generated for ARP packets that Bro cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.

SPA:The sender protocol address.
SHA:The sender hardware address.
TPA:The target protocol address.
THA:The target hardware address.
Explanation:A short description of why the ARP packet is considered “bad”.

See also: arp_reply, arp_request

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Bro::AYIYA

AYIYA Analyzer

Bro::BackDoor

Backdoor Analyzer deprecated

Events

backdoor_stats
Type:event (c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats)

Deprecated. Will be removed.

backdoor_remove_conn
Type:event (c: connection)

Deprecated. Will be removed.

ftp_signature_found
Type:event (c: connection)

Deprecated. Will be removed.

gnutella_signature_found
Type:event (c: connection)

Deprecated. Will be removed.

http_signature_found
Type:event (c: connection)

Deprecated. Will be removed.

irc_signature_found
Type:event (c: connection)

Deprecated. Will be removed.

telnet_signature_found
Type:event (c: connection, is_orig: bool, len: count)

Deprecated. Will be removed.

ssh_signature_found
Type:event (c: connection, is_orig: bool)

Deprecated. Will be removed.

rlogin_signature_found
Type:event (c: connection, is_orig: bool, num_null: count, len: count)

Deprecated. Will be removed.

smtp_signature_found
Type:event (c: connection)

Deprecated. Will be removed.

http_proxy_signature_found
Type:event (c: connection)

Deprecated. Will be removed.

Bro::BitTorrent

BitTorrent Analyzer

Events

bittorrent_peer_handshake
Type:event (c: connection, is_orig: bool, reserved: string, info_hash: string, peer_id: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_keep_alive
Type:event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_choke
Type:event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_unchoke
Type:event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_interested
Type:event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_not_interested
Type:event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_have
Type:event (c: connection, is_orig: bool, piece_index: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_bitfield
Type:event (c: connection, is_orig: bool, bitfield: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_request
Type:event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_piece
Type:event (c: connection, is_orig: bool, index: count, begin: count, piece_length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_cancel
Type:event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_port
Type:event (c: connection, is_orig: bool, listen_port: port)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_unknown
Type:event (c: connection, is_orig: bool, message_id: count, data: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_weird

bittorrent_peer_weird
Type:event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown

bt_tracker_request
Type:event (c: connection, uri: string, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bt_tracker_response
Type:event (c: connection, status: count, headers: bt_tracker_headers, peers: bittorrent_peer_set, benc: bittorrent_benc_dir)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bt_tracker_response_not_ok
Type:event (c: connection, status: count, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bt_tracker_weird
Type:event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

Bro::ConnSize

Connection size analyzer

Events

conn_bytes_threshold_crossed
Type:event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.

C:the connection
Threshold:the threshold that was set
Is_orig:true if the threshold was crossed by the originator of the connection

See also: set_current_conn_packets_threshold, set_current_conn_bytes_threshold, conn_packets_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold

conn_packets_threshold_crossed
Type:event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.

C:the connection
Threshold:the threshold that was set
Is_orig:true if the threshold was crossed by the originator of the connection

See also: set_current_conn_packets_threshold, set_current_conn_bytes_threshold, conn_bytes_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold

Functions

set_current_conn_bytes_threshold
Type:function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets the current byte threshold for connection sizes, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_bytes_threshold).

Cid:The connection id.
Threshold:Threshold in bytes.
Is_orig:If true, threshold is set for bytes from originator, otherwhise for bytes from responder.

See also: set_current_conn_packets_threshold, conn_bytes_threshold_crossed, conn_packets_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold

set_current_conn_packets_threshold
Type:function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets a threshold for connection packets, overwtiting any potential old thresholds. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_packets_threshold).

Cid:The connection id.
Threshold:Threshold in packets.
Is_orig:If true, threshold is set for packets from originator, otherwhise for packets from responder.

See also: set_current_conn_bytes_threshold, conn_bytes_threshold_crossed, conn_packets_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold

get_current_conn_bytes_threshold
Type:function (cid: conn_id, is_orig: bool) : count

Gets the current byte threshold size for a connection.

Cid:The connection id.
Is_orig:If true, threshold of originator, otherwhise threshold of responder.
Returns:0 if no threshold is set or the threshold in bytes

See also: set_current_conn_packets_threshold, conn_bytes_threshold_crossed, conn_packets_threshold_crossed, get_current_conn_packets_threshold

get_current_conn_packets_threshold
Type:function (cid: conn_id, is_orig: bool) : count

Gets the current packet threshold size for a connection.

Cid:The connection id.
Is_orig:If true, threshold of originator, otherwhise threshold of responder.
Returns:0 if no threshold is set or the threshold in packets

See also: set_current_conn_packets_threshold, conn_bytes_threshold_crossed, conn_packets_threshold_crossed, get_current_conn_bytes_threshold

Bro::DCE_RPC

DCE-RPC analyzer

Options/Constants

DCE_RPC::max_cmd_reassembly
Type:count
Attributes:&redef
Default:20

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data
Type:count
Attributes:&redef
Default:30000

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

Types

DCE_RPC::PType
Type:

enum

DCE_RPC::REQUEST
DCE_RPC::PING
DCE_RPC::RESPONSE
DCE_RPC::FAULT
DCE_RPC::WORKING
DCE_RPC::NOCALL
DCE_RPC::REJECT
DCE_RPC::ACK
DCE_RPC::CL_CANCEL
DCE_RPC::FACK
DCE_RPC::CANCEL_ACK
DCE_RPC::BIND
DCE_RPC::BIND_ACK
DCE_RPC::BIND_NAK
DCE_RPC::ALTER_CONTEXT
DCE_RPC::ALTER_CONTEXT_RESP
DCE_RPC::AUTH3
DCE_RPC::SHUTDOWN
DCE_RPC::CO_CANCEL
DCE_RPC::ORPHANED
DCE_RPC::RTS
DCE_RPC::IfID
Type:

enum

DCE_RPC::unknown_if
DCE_RPC::epmapper
DCE_RPC::lsarpc
DCE_RPC::lsa_ds
DCE_RPC::mgmt
DCE_RPC::netlogon
DCE_RPC::samr
DCE_RPC::srvsvc
DCE_RPC::spoolss
DCE_RPC::drs
DCE_RPC::winspipe
DCE_RPC::wkssvc
DCE_RPC::oxid
DCE_RPC::ISCMActivator

Events

dce_rpc_message
Type:event (c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType)

Generated for every DCE-RPC message.

C:The connection.
Is_orig:True if the message was sent by the originator of the TCP connection.
Fid:File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ptype_id:Numeric representation of the procedure type of the message.
Ptype:Enum representation of the prodecure type of the message.

See also: dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response

dce_rpc_bind
Type:event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C:The connection.
Fid:File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id:The context identifier of the data representation.
Uuid:The string interpretted uuid of the endpoint being requested.
Ver_major:The major version of the endpoint being requested.
Ver_minor:The minor version of the endpoint being requested.

See also: dce_rpc_message, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response

dce_rpc_alter_context
Type:event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C:The connection.
Fid:File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id:The context identifier of the data representation.
Uuid:The string interpretted uuid of the endpoint being requested.
Ver_major:The major version of the endpoint being requested.
Ver_minor:The minor version of the endpoint being requested.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response, dce_rpc_alter_context_resp

dce_rpc_bind_ack
Type:event (c: connection, fid: count, sec_addr: string)

Generated for every DCE-RPC bind request ack message.

C:The connection.
Fid:File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Sec_addr:Secondary address for the ack.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_request, dce_rpc_response

dce_rpc_alter_context_resp
Type:event (c: connection, fid: count)

Generated for every DCE-RPC alter context response message.

C:The connection.
Fid:File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response, dce_rpc_alter_context

dce_rpc_request
Type:event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC request message.

C:The connection.
Fid:File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id:The context identifier of the data representation.
Opnum:Number of the RPC operation.
Stub_len:Length of the data for the request.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_response

dce_rpc_response
Type:event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC response message.

C:The connection.
Fid:File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id:The context identifier of the data representation.
Opnum:Number of the RPC operation.
Stub_len:Length of the data for the response.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request

Bro::DHCP

DHCP analyzer

Types

DHCP::Msg
Type:

record

op: count

Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY

m_type: count

The type of DHCP message.

xid: count

Transaction ID of a DHCP session.

secs: interval

Number of seconds since client began address acquisition or renewal process

flags: count

ciaddr: addr

Original IP address of the client.

yiaddr: addr

IP address assigned to the client.

siaddr: addr

IP address of the server.

giaddr: addr

IP address of the relaying gateway.

chaddr: string

Client hardware address.

sname: string &default = "" &optional

Server host name.

file_n: string &default = "" &optional

Boot file name.

A DHCP message. .. bro:see:: dhcp_message

DHCP::Addrs
Type:vector of addr

A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.

See also: dhcp_message

DHCP::SubOpt
Type:

record

code: count

value: string

DHCP Relay Agent Information Option (Option 82) .. bro:see:: dhcp_message

DHCP::SubOpts
Type:vector of DHCP::SubOpt
DHCP::ClientFQDN
Type:

record

flags: count

An unparsed bitfield of flags (refer to RFC 4702).

rcode1: count

This field is deprecated in the standard.

rcode2: count

This field is deprecated in the standard.

domain_name: string

The Domain Name part of the option carries all or part of the FQDN of a DHCP client.

DHCP Client FQDN Option information (Option 81)

DHCP::ClientID
Type:

record

hwtype: count

hwaddr: string

DHCP Client Identifier (Option 61) .. bro:see:: dhcp_message

DHCP::Options
Type:

record

options: index_vec &optional

The ordered list of all DHCP option numbers.

subnet_mask: addr &optional

Subnet Mask Value (option 1)

routers: DHCP::Addrs &optional

Router addresses (option 3)

dns_servers: DHCP::Addrs &optional

DNS Server addresses (option 6)

host_name: string &optional

The Hostname of the client (option 12)

domain_name: string &optional

The DNS domain name of the client (option 15)

forwarding: bool &optional

Enable/Disable IP Forwarding (option 19)

broadcast: addr &optional

Broadcast Address (option 28)

vendor: string &optional

Vendor specific data. This can frequently be unparsed binary data. (option 43)

nbns: DHCP::Addrs &optional

NETBIOS name server list (option 44)

addr_request: addr &optional

Address requested by the client (option 50)

lease: interval &optional

Lease time offered by the server. (option 51)

serv_addr: addr &optional

Server address to allow clients to distinguish between lease offers. (option 54)

param_list: index_vec &optional

DHCP Parameter Request list (option 55)

message: string &optional

Textual error message (option 56)

max_msg_size: count &optional

Maximum Message Size (option 57)

renewal_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)

rebinding_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)

vendor_class: string &optional

This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)

client_id: DHCP::ClientID &optional

DHCP Client Identifier (Option 61)

user_class: string &optional

User Class opaque value (Option 77)

client_fqdn: DHCP::ClientFQDN &optional

DHCP Client FQDN (Option 81)

sub_opt: DHCP::SubOpts &optional

DHCP Relay Agent Information Option (Option 82)

auto_config: bool &optional

Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)

auto_proxy_config: string &optional

URL to find a proxy.pac for auto proxy config (Option 252)

Events

dhcp_message
Type:event (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)

Generated for all DHCP messages.

C:The connection record describing the underlying UDP flow.
Is_orig:Indicate if the message came in a packet from the originator/client of the udp flow or the responder/server.
Msg:The parsed type-independent part of the DHCP message. The message type is indicated in this record.
Options:The full set of supported and parsed DHCP options.

Bro::DNP3

DNP3 UDP/TCP analyzers

Events

dnp3_application_request_header
Type:event (c: connection, is_orig: bool, application: count, fc: count)

Generated for a DNP3 request header.

C:The connection the DNP3 communication is part of.
Is_orig:True if this reflects originator-side activity.
Fc:function code.
dnp3_application_response_header
Type:event (c: connection, is_orig: bool, application: count, fc: count, iin: count)

Generated for a DNP3 response header.

C:The connection the DNP3 communication is part of.
Is_orig:True if this reflects originator-side activity.
Fc:function code.
Iin:internal indication number.
dnp3_object_header
Type:event (c: connection, is_orig: bool, obj_type: count, qua_field: count, number: count, rf_low: count, rf_high: count)

Generated for the object header found in both DNP3 requests and responses.

C:The connection the DNP3 communication is part of.
Is_orig:True if this reflects originator-side activity.
Obj_type:type of object, which is classified based on an 8-bit group number and an 8-bit variation number.
Qua_field:qualifier field.
Number:TODO.
Rf_low:the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values.
Rf_high:in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index.
dnp3_object_prefix
Type:event (c: connection, is_orig: bool, prefix_value: count)

Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.

C:The connection the DNP3 communication is part of.
Is_orig:True if this reflects originator-side activity.
Prefix_value:The prefix.
dnp3_header_block
Type:event (c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count)

Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).

C:The connection the DNP3 communication is part of.
Is_orig:True if this reflects originator-side activity.
Len:the “length” field in the DNP3 Pseudo Link Layer.
Ctrl:the “control” field in the DNP3 Pseudo Link Layer.
Dest_addr:the “destination” field in the DNP3 Pseudo Link Layer.
Src_addr:the “source” field in the DNP3 Pseudo Link Layer.
dnp3_response_data_object
Type:event (c: connection, is_orig: bool, data_value: count)

Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16, or int8; thus we use an additional data_value to record the values of those object data.

C:The connection the DNP3 communication is part of.
Is_orig:True if this reflects originator-side activity.
Data_value:The value for those objects that carry their information here directly.
dnp3_attribute_common
Type:event (c: connection, is_orig: bool, data_type_code: count, leng: count, attribute_obj: string)

Generated for DNP3 attributes.

dnp3_crob
Type:event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 1

CROB:control relay output block
dnp3_pcb
Type:event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 2

PCB:Pattern Control Block
dnp3_counter_32wFlag
Type:event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag

dnp3_counter_16wFlag
Type:event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag

dnp3_counter_32woFlag
Type:event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag

dnp3_counter_16woFlag
Type:event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag

dnp3_frozen_counter_32wFlag
Type:event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag

dnp3_frozen_counter_16wFlag
Type:event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag

dnp3_frozen_counter_32wFlagTime
Type:event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time

dnp3_frozen_counter_16wFlagTime
Type:event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time

dnp3_frozen_counter_32woFlag
Type:event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag

dnp3_frozen_counter_16woFlag
Type:event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag

dnp3_analog_input_32wFlag
Type:event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag

dnp3_analog_input_16wFlag
Type:event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag

dnp3_analog_input_32woFlag
Type:event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag

dnp3_analog_input_16woFlag
Type:event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag

dnp3_analog_input_SPwFlag
Type:event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag

dnp3_analog_input_DPwFlag
Type:event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag

dnp3_frozen_analog_input_32wFlag
Type:event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag

dnp3_frozen_analog_input_16wFlag
Type:event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag

dnp3_frozen_analog_input_32wTime
Type:event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze

dnp3_frozen_analog_input_16wTime
Type:event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze

dnp3_frozen_analog_input_32woFlag
Type:event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag

dnp3_frozen_analog_input_16woFlag
Type:event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag

dnp3_frozen_analog_input_SPwFlag
Type:event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag

dnp3_frozen_analog_input_DPwFlag
Type:event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag

dnp3_analog_input_event_32woTime
Type:event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time

dnp3_analog_input_event_16woTime
Type:event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time

dnp3_analog_input_event_32wTime
Type:event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time

dnp3_analog_input_event_16wTime
Type:event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time

dnp3_analog_input_event_SPwoTime
Type:event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time

dnp3_analog_input_event_DPwoTime
Type:event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time

dnp3_analog_input_event_SPwTime
Type:event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time

dnp3_analog_input_event_DPwTime
Type:event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precisiion float point with time

dnp3_frozen_analog_input_event_32woTime
Type:event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time

dnp3_frozen_analog_input_event_16woTime
Type:event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time

dnp3_frozen_analog_input_event_32wTime
Type:event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time

dnp3_frozen_analog_input_event_16wTime
Type:event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time

dnp3_frozen_analog_input_event_SPwoTime
Type:event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time

dnp3_frozen_analog_input_event_DPwoTime
Type:event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time

dnp3_frozen_analog_input_event_SPwTime
Type:event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time

dnp3_frozen_analog_input_event_DPwTime
Type:event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count)

Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time

dnp3_file_transport
Type:event (c: connection, is_orig: bool, file_handle: count, block_num: count, file_data: string)

g70

dnp3_debug_byte
Type:event (c: connection, is_orig: bool, debug: string)

Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.

Bro::DNS

DNS analyzer

Events

dns_message
Type:event (c: connection, is_orig: bool, msg: dns_msg, len: count)

Generated for all DNS messages.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Is_orig:True if the message was sent by the originator of the connection.
Msg:The parsed DNS message header.
Len:The length of the message’s raw representation (i.e., the DNS payload).

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_request
Type:event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS requests. For requests with multiple queries, this event is raised once for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Query:The queried name.
Qtype:The queried resource record type.
Qclass:The queried resource record class.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_rejected
Type:event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Query:The queried name.
Qtype:The queried resource record type.
Qclass:The queried resource record class.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_query_reply
Type:event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for each entry in the Question section of a DNS reply.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Query:The queried name.
Qtype:The queried resource record type.
Qclass:The queried resource record class.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_A_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
A:The address returned by the reply.

See also: dns_AAAA_reply, dns_A6_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_AAAA_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
A:The address returned by the reply.

See also: dns_A_reply, dns_A6_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_A6_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
A:The address returned by the reply.

See also: dns_A_reply, dns_AAAA_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_NS_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Name:The name returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_CNAME_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Name:The name returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_PTR_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Name:The name returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_SOA_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Soa:The parsed SOA value.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_WKS_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_HINFO_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_MX_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count)

Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Name:The name returned by the reply.
Preference:The preference for name specified by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_TXT_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Strs:The textual information returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_CAA_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)

Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Flags:The flags byte of the CAA reply.
Tag:The property identifier of the CAA reply.
Value:The property value of the CAA reply.
dns_SRV_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count)

Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Target:Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot.
Priority:Priority of the SRV response – the priority of the target host, lower value means more preferred.
Weight:Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred.
P:Port of the SRV response – the TCP or UDP port on which the service is to be found.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_unknown_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer)

Generated on DNS reply resource records when the type of record is not one that Bro knows how to parse and generate another more specific event.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_SRV_reply, dns_end

dns_EDNS_addl
Type:event (c: connection, msg: dns_msg, ans: dns_edns_additional)

Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The parsed EDNS reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_TSIG_addl
Type:event (c: connection, msg: dns_msg, ans: dns_tsig_additional)

Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The parsed TSIG reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_RRSIG
Type:event (c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)

Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Rrsig:The parsed RRSIG record.
dns_DNSKEY
Type:event (c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)

Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Dnskey:The parsed DNSKEY record.
dns_NSEC
Type:event (c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)

Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Next_name:The parsed next secure domain name.
Bitmaps:vector of strings in hex for the bit maps present.
dns_NSEC3
Type:event (c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)

Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Nsec3:The parsed RDATA of Nsec3 record.
dns_DS
Type:event (c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)

Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Ds:The parsed RDATA of DS record.
dns_end
Type:event (c: connection, msg: dns_msg)

Generated at the end of processing a DNS packet. This event is the last dns_* event that will be raised for a DNS query/reply and signals that all resource records have been passed on.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_full_request
Type:event ()

Deprecated. Will be removed.

Todo

Unclear what this event is for; it’s never raised. We should just remove it.

non_dns_request
Type:event (c: connection, msg: string)
Msg:The raw DNS payload.

Note

This event is deprecated and superseded by Bro’s dynamic protocol detection framework.

Bro::File

Generic file analyzer

Events

file_transferred
Type:event (c: connection, prefix: string, descr: string, mime_type: string)

Generated when a TCP connection associated w/ file data transfer is seen (e.g. as happens w/ FTP or IRC).

C:The connection over which file data is transferred.
Prefix:Up to 1024 bytes of the file data.
Descr:Deprecated/unused argument.
Mime_type:MIME type of the file or “<unknown>” if no file magic signatures matched.

Bro::Finger

Finger analyzer

Events

finger_request
Type:event (c: connection, full: bool, username: string, hostname: string)

Generated for Finger requests.

See Wikipedia for more information about the Finger protocol.

C:The connection.
Full:True if verbose information is requested (/W switch).
Username:The request’s user name.
Hostname:The request’s host name.

See also: finger_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

finger_reply
Type:event (c: connection, reply_line: string)

Generated for Finger replies.

See Wikipedia for more information about the Finger protocol.

C:The connection.
Reply_line:The reply as returned by the server

See also: finger_request

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Bro::FTP

FTP analyzer

Types

ftp_port
Type:

record

h: addr

The host’s address.

p: port

The host’s port.

valid: bool

True if format was right. Only then are h and p valid.

A parsed host/port combination describing server endpoint for an upcoming data transfer.

See also: fmt_ftp_port, parse_eftp_port, parse_ftp_epsv, parse_ftp_pasv, parse_ftp_port

Events

ftp_request
Type:event (c: connection, command: string, arg: string)

Generated for client-side FTP commands.

See Wikipedia for more information about the FTP protocol.

C:The connection.
Command:The FTP command issued by the client (without any arguments).
Arg:The arguments going with the command.

See also: ftp_reply, fmt_ftp_port, parse_eftp_port, parse_ftp_epsv, parse_ftp_pasv, parse_ftp_port

ftp_reply
Type:event (c: connection, code: count, msg: string, cont_resp: bool)

Generated for server-side FTP replies.

See Wikipedia for more information about the FTP protocol.

C:The connection.
Code:The numerical response code the server responded with.
Msg:The textual message of the response.
Cont_resp:True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.

See also: ftp_request, fmt_ftp_port, parse_eftp_port, parse_ftp_epsv, parse_ftp_pasv, parse_ftp_port

Functions

parse_ftp_port
Type:function (s: string) : ftp_port

Converts a string representation of the FTP PORT command to an ftp_port.

S:The string of the FTP PORT command, e.g., "10,0,0,1,4,31".
Returns:The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also: parse_eftp_port, parse_ftp_pasv, parse_ftp_epsv, fmt_ftp_port

parse_eftp_port
Type:function (s: string) : ftp_port

Converts a string representation of the FTP EPRT command (see RFC 2428) to an ftp_port. The format is "EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>", where <d> is a delimiter in the ASCII range 33-126 (usually |).

S:The string of the FTP EPRT command, e.g., "|1|10.0.0.1|1055|".
Returns:The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also: parse_ftp_port, parse_ftp_pasv, parse_ftp_epsv, fmt_ftp_port

parse_ftp_pasv
Type:function (str: string) : ftp_port

Converts the result of the FTP PASV command to an ftp_port.

Str:The string containing the result of the FTP PASV command.
Returns:The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also: parse_ftp_port, parse_eftp_port, parse_ftp_epsv, fmt_ftp_port

parse_ftp_epsv
Type:function (str: string) : ftp_port

Converts the result of the FTP EPSV command (see RFC 2428) to an ftp_port. The format is "<text> (<d><d><d><tcp-port><d>)", where <d> is a delimiter in the ASCII range 33-126 (usually |).

Str:The string containing the result of the FTP EPSV command.
Returns:The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also: parse_ftp_port, parse_eftp_port, parse_ftp_pasv, fmt_ftp_port

fmt_ftp_port
Type:function (a: addr, p: port) : string

Formats an IP address and TCP port as an FTP PORT command. For example, 10.0.0.1 and 1055/tcp yields "10,0,0,1,4,31".

A:The IP address.
P:The TCP port.
Returns:The FTP PORT string.

See also: parse_ftp_port, parse_eftp_port, parse_ftp_pasv, parse_ftp_epsv

Bro::Gnutella

Gnutella analyzer

Events

gnutella_text_msg
Type:event (c: connection, orig: bool, headers: string)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also: gnutella_binary_msg, gnutella_establish, gnutella_http_notify, gnutella_not_establish, gnutella_partial_binary_msg, gnutella_signature_found

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_binary_msg
Type:event (c: connection, orig: bool, msg_type: count, ttl: count, hops: count, msg_len: count, payload: string, payload_len: count, trunc: bool, complete: bool)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also: gnutella_establish, gnutella_http_notify, gnutella_not_establish, gnutella_partial_binary_msg, gnutella_signature_found, gnutella_text_msg

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_partial_binary_msg
Type:event (c: connection, orig: bool, msg: string, len: count)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also: gnutella_binary_msg, gnutella_establish, gnutella_http_notify, gnutella_not_establish, gnutella_signature_found, gnutella_text_msg

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_establish
Type:event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also: gnutella_binary_msg, gnutella_http_notify, gnutella_not_establish, gnutella_partial_binary_msg, gnutella_signature_found, gnutella_text_msg

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_not_establish
Type:event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also: gnutella_binary_msg, gnutella_establish, gnutella_http_notify, gnutella_partial_binary_msg, gnutella_signature_found, gnutella_text_msg

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_http_notify
Type:event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also: gnutella_binary_msg, gnutella_establish, gnutella_not_establish, gnutella_partial_binary_msg, gnutella_signature_found, gnutella_text_msg

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Bro::GSSAPI

GSSAPI analyzer

Events

gssapi_neg_result
Type:event (c: connection, state: count)

Generated for GSSAPI negotiation results.

C:The connection.
State:The resulting state of the negotiation.

Bro::GTPv1

GTPv1 analyzer

Events

gtpv1_message
Type:event (c: connection, hdr: gtpv1_hdr)

Generated for any GTP message with a GTPv1 header.

C:The connection over which the message is sent.
Hdr:The GTPv1 header.
gtpv1_g_pdu_packet
Type:event (outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr)

Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.

Outer:The GTP outer tunnel connection.
Inner_gtp:The GTP header.
Inner_ip:The inner IP and transport layer packet headers.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

gtpv1_create_pdp_ctx_request
Type:event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements)

Generated for GTPv1-C Create PDP Context Request messages.

C:The connection over which the message is sent.
Hdr:The GTPv1 header.
Elements:The set of Information Elements comprising the message.
gtpv1_create_pdp_ctx_response
Type:event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements)

Generated for GTPv1-C Create PDP Context Response messages.

C:The connection over which the message is sent.
Hdr:The GTPv1 header.
Elements:The set of Information Elements comprising the message.
gtpv1_update_pdp_ctx_request
Type:event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements)

Generated for GTPv1-C Update PDP Context Request messages.

C:The connection over which the message is sent.
Hdr:The GTPv1 header.
Elements:The set of Information Elements comprising the message.
gtpv1_update_pdp_ctx_response
Type:event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements)

Generated for GTPv1-C Update PDP Context Response messages.

C:The connection over which the message is sent.
Hdr:The GTPv1 header.
Elements:The set of Information Elements comprising the message.
gtpv1_delete_pdp_ctx_request
Type:event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements)

Generated for GTPv1-C Delete PDP Context Request messages.

C:The connection over which the message is sent.
Hdr:The GTPv1 header.
Elements:The set of Information Elements comprising the message.
gtpv1_delete_pdp_ctx_response
Type:event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements)

Generated for GTPv1-C Delete PDP Context Response messages.

C:The connection over which the message is sent.
Hdr:The GTPv1 header.
Elements:The set of Information Elements comprising the message.

Bro::HTTP

HTTP analyzer

Events

http_request
Type:event (c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)

Generated for HTTP requests. Bro supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a request’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

C:The connection.
Method:The HTTP method extracted from the request (e.g., GET, POST).
Original_URI:The unprocessed URI as specified in the request.
Unescaped_URI:The URI with all percent-encodings decoded.
Version:The version number specified in the request (e.g., 1.1).

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_stats, truncate_http_URI, http_connection_upgrade

http_reply
Type:event (c: connection, version: string, code: count, reason: string)

Generated for HTTP replies. Bro supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a reply’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

C:The connection.
Version:The version number specified in the reply (e.g., 1.1).
Code:The numerical response code returned by the server.
Reason:The textual description returned by the server along with code.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_request, http_stats, http_connection_upgrade

http_header
Type:event (c: connection, is_orig: bool, name: string, value: string)

Generated for HTTP headers. Bro supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.

See Wikipedia for more information about the HTTP protocol.

C:The connection.
Is_orig:True if the header was sent by the originator of the TCP connection.
Name:The name of the header.
Value:The value of the header.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_message_done, http_reply, http_request, http_stats, http_connection_upgrade

Note

This event is also raised for headers found in nested body entities.

http_all_headers
Type:event (c: connection, is_orig: bool, hlist: mime_header_list)

Generated for HTTP headers, passing on all headers of an HTTP message at once. Bro supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.

See Wikipedia for more information about the HTTP protocol.

C:The connection.
Is_orig:True if the header was sent by the originator of the TCP connection.
Hlist:A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).

See also: http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request, http_stats, http_connection_upgrade

Note

This event is also raised for headers found in nested body entities.

http_begin_entity
Type:event (c: connection, is_orig: bool)

Generated when starting to parse an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Bro raises this event just before it starts parsing each entity’s content.

See Wikipedia for more information about the HTTP protocol.

C:The connection.
Is_orig:True if the entity was sent by the originator of the TCP connection.

See also: http_all_headers, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request, http_stats, mime_begin_entity, http_connection_upgrade

http_end_entity
Type:event (c: connection, is_orig: bool)

Generated when finishing parsing an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Bro raises this event at the point when it has finished parsing an entity’s content.

See Wikipedia for more information about the HTTP protocol.

C:The connection.
Is_orig:True if the entity was sent by the originator of the TCP connection.

See also: http_all_headers, http_begin_entity, http_content_type, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request, http_stats, mime_end_entity, http_connection_upgrade

http_entity_data
Type:event (c: connection, is_orig: bool, length: count, data: string)

Generated when parsing an HTTP body entity, passing on the data. This event can potentially be raised many times for each entity, each time passing a chunk of the data of not further defined size.

A common idiom for using this event is to first reassemble the data at the scripting layer by concatenating it to a successively growing string; and only perform further content analysis once the corresponding http_end_entity event has been raised. Note, however, that doing so can be quite expensive for HTTP tranders. At the very least, one should impose an upper size limit on how much data is being buffered.

See Wikipedia for more information about the HTTP protocol.

C:The connection.
Is_orig:True if the entity was sent by the originator of the TCP connection.
Length:The length of data.
Data:One chunk of raw entity data.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_event, http_header, http_message_done, http_reply, http_request, http_stats, mime_entity_data, http_entity_data_delivery_size, skip_http_data, http_connection_upgrade

http_content_type
Type:event (c: connection, is_orig: bool, ty: string, subty: string)

Generated for reporting an HTTP body’s content type. This event is generated at the end of parsing an HTTP header, passing on the MIME type as specified by the Content-Type header. If that header is missing, this event is still raised with a default value of text/plain.

See Wikipedia for more information about the HTTP protocol.

C:The connection.
Is_orig:True if the entity was sent by the originator of the TCP connection.
Ty:The main type.
Subty:The subtype.

See also: http_all_headers, http_begin_entity, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request, http_stats, http_connection_upgrade

Note

This event is also raised for headers found in nested body entities.

http_message_done
Type:event (c: connection, is_orig: bool, stat: http_message_stat)

Generated once at the end of parsing an HTTP message. Bro supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. A “message” is one top-level HTTP entity, such as a complete request or reply. Each message can have further nested sub-entities inside. This event is raised once all sub-entities belonging to a top-level message have been processed (and their corresponding http_entity_* events generated).

See Wikipedia for more information about the HTTP protocol.

C:The connection.
Is_orig:True if the entity was sent by the originator of the TCP connection.
Stat:Further meta information about the message.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_reply, http_request, http_stats, http_connection_upgrade

http_event
Type:event (c: connection, event_type: string, detail: string)

Generated for errors found when decoding HTTP requests or replies.

See Wikipedia for more information about the HTTP protocol.

C:The connection.
Event_type:A string describing the general category of the problem found (e.g., illegal format).
Detail:Further more detailed description of the error.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_header, http_message_done, http_reply, http_request, http_stats, mime_event, http_connection_upgrade

http_stats
Type:event (c: connection, stats: http_stats_rec)

Generated at the end of an HTTP session to report statistics about it. This event is raised after all of an HTTP session’s requests and replies have been fully processed.

C:The connection.
Stats:Statistics summarizing HTTP-level properties of the finished connection.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request, http_connection_upgrade

http_connection_upgrade
Type:event (c: connection, protocol: string)

Generated when a HTTP session is upgraded to a different protocol (e.g. websocket). This event is raised when a server replies with a HTTP 101 reply. No more HTTP events will be raised after this event.

C:The connection.
Protocol:The protocol to which the connection is switching.

See also: http_all_headers, http_begin_entity, http_content_type, http_end_entity, http_entity_data, http_event, http_header, http_message_done, http_reply, http_request

Functions

skip_http_entity_data
Type:function (c: connection, is_orig: bool) : any

Skips the data of the HTTP entity.

C:The HTTP connection.
Is_orig:If true, the client data is skipped, and the server data otherwise.

See also: skip_smtp_data

unescape_URI
Type:function (URI: string) : string

Unescapes all characters in a URI (decode every %xx group).

URI:The URI to unescape.
Returns:The unescaped URI with all %xx groups decoded.

Note

Unescaping reserved characters may cause loss of information. RFC 2396: A URI is always in an “escaped” form, since escaping or unescaping a completed URI might change its semantics. Normally, the only time escape encodings can safely be made is when the URI is being created from its component parts.

Bro::ICMP

ICMP analyzer

Events

icmp_sent
Type:event (c: connection, icmp: icmp_conn)

Generated for all ICMP messages that are not handled separately with dedicated ICMP events. Bro’s ICMP analyzer handles a number of ICMP messages directly with dedicated events. This event acts as a fallback for those it doesn’t.

See Wikipedia for more information about the ICMP protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.

See also: icmp_error_message, icmp_sent_payload

icmp_sent_payload
Type:event (c: connection, icmp: icmp_conn, payload: string)

The same as icmp_sent except containing the ICMP payload.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Payload:The payload of the ICMP message.

See also: icmp_error_message, icmp_sent_payload

icmp_echo_request
Type:event (c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)

Generated for ICMP echo request messages.

See Wikipedia for more information about the ICMP protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Id:The echo request identifier.
Seq:The echo request sequence number.
Payload:The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header.

See also: icmp_echo_reply

icmp_echo_reply
Type:event (c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)

Generated for ICMP echo reply messages.

See Wikipedia for more information about the ICMP protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Id:The echo reply identifier.
Seq:The echo reply sequence number.
Payload:The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header.

See also: icmp_echo_request

icmp_error_message
Type:event (c: connection, icmp: icmp_conn, code: count, context: icmp_context)

Generated for all ICMPv6 error messages that are not handled separately with dedicated events. Bro’s ICMP analyzer handles a number of ICMP error messages directly with dedicated events. This event acts as a fallback for those it doesn’t.

See Wikipedia for more information about the ICMPv6 protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Code:The ICMP code of the error message.
Context:A record with specifics of the original packet that the message refers to.

See also: icmp_unreachable, icmp_packet_too_big, icmp_time_exceeded, icmp_parameter_problem

icmp_unreachable
Type:event (c: connection, icmp: icmp_conn, code: count, context: icmp_context)

Generated for ICMP destination unreachable messages.

See Wikipedia for more information about the ICMP protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Code:The ICMP code of the unreachable message.
Context:A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the unreachable includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_packet_too_big, icmp_time_exceeded, icmp_parameter_problem

icmp_packet_too_big
Type:event (c: connection, icmp: icmp_conn, code: count, context: icmp_context)

Generated for ICMPv6 packet too big messages.

See Wikipedia for more information about the ICMPv6 protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Code:The ICMP code of the too big message.
Context:A record with specifics of the original packet that the message refers to. Too big messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the too big includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_unreachable, icmp_time_exceeded, icmp_parameter_problem

icmp_time_exceeded
Type:event (c: connection, icmp: icmp_conn, code: count, context: icmp_context)

Generated for ICMP time exceeded messages.

See Wikipedia for more information about the ICMP protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Code:The ICMP code of the exceeded message.
Context:A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the exceeded includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_unreachable, icmp_packet_too_big, icmp_parameter_problem

icmp_parameter_problem
Type:event (c: connection, icmp: icmp_conn, code: count, context: icmp_context)

Generated for ICMPv6 parameter problem messages.

See Wikipedia for more information about the ICMPv6 protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Code:The ICMP code of the parameter problem message.
Context:A record with specifics of the original packet that the message refers to. Parameter problem messages should include the original IP header from the packet that triggered them, and Bro parses that into the context structure. Note that if the parameter problem includes only a partial IP header for some reason, no fields of context will be filled out.

See also: icmp_error_message, icmp_unreachable, icmp_packet_too_big, icmp_time_exceeded

icmp_router_solicitation
Type:event (c: connection, icmp: icmp_conn, options: icmp6_nd_options)

Generated for ICMP router solicitation messages.

See Wikipedia for more information about the ICMP protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Options:Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_advertisement, icmp_neighbor_solicitation, icmp_neighbor_advertisement, icmp_redirect

icmp_router_advertisement
Type:event (c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)

Generated for ICMP router advertisement messages.

See Wikipedia for more information about the ICMP protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Cur_hop_limit:The default value that should be placed in Hop Count field for outgoing IP packets.
Managed:Managed address configuration flag, RFC 4861.
Other:Other stateful configuration flag, RFC 4861.
Home_agent:Mobile IPv6 home agent flag, RFC 3775.
Pref:Router selection preferences, RFC 4191.
Proxy:Neighbor discovery proxy flag, RFC 4389.
Rsv:Remaining two reserved bits of router advertisement flags.
Router_lifetime:
 How long this router should be used as a default router.
Reachable_time:How long a neighbor should be considered reachable.
Retrans_timer:How long a host should wait before retransmitting.
Options:Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_neighbor_solicitation, icmp_neighbor_advertisement, icmp_redirect

icmp_neighbor_solicitation
Type:event (c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options)

Generated for ICMP neighbor solicitation messages.

See Wikipedia for more information about the ICMP protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Tgt:The IP address of the target of the solicitation.
Options:Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_advertisement, icmp_redirect

icmp_neighbor_advertisement
Type:event (c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)

Generated for ICMP neighbor advertisement messages.

See Wikipedia for more information about the ICMP protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Router:Flag indicating the sender is a router.
Solicited:Flag indicating advertisement is in response to a solicitation.
Override:Flag indicating advertisement should override existing caches.
Tgt:the Target Address in the soliciting message or the address whose link-layer address has changed for unsolicited adverts.
Options:Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_solicitation, icmp_redirect

icmp_redirect
Type:event (c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options)

Generated for ICMP redirect messages.

See Wikipedia for more information about the ICMP protocol.

C:The connection record for the corresponding ICMP flow.
Icmp:Additional ICMP-specific information augmenting the standard connection record c.
Tgt:The address that is supposed to be a better first hop to use for ICMP Destination Address.
Dest:The address of the destination which is redirected to the target.
Options:Any Neighbor Discovery options included with message (RFC 4861).

See also: icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_solicitation, icmp_neighbor_advertisement

Bro::Ident

Ident analyzer

Events

ident_request
Type:event (c: connection, lport: port, rport: port)

Generated for Ident requests.

See Wikipedia for more information about the Ident protocol.

C:The connection.
Lport:The request’s local port.
Rport:The request’s remote port.

See also: ident_error, ident_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

ident_reply
Type:event (c: connection, lport: port, rport: port, user_id: string, system: string)

Generated for Ident replies.

See Wikipedia for more information about the Ident protocol.

C:The connection.
Lport:The corresponding request’s local port.
Rport:The corresponding request’s remote port.
User_id:The user id returned by the reply.
System:The operating system returned by the reply.

See also: ident_error, ident_request

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

ident_error
Type:event (c: connection, lport: port, rport: port, line: string)

Generated for Ident error replies.

See Wikipedia for more information about the Ident protocol.

C:The connection.
Lport:The corresponding request’s local port.
Rport:The corresponding request’s remote port.
Line:The error description returned by the reply.

See also: ident_reply, ident_request

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Bro::IMAP

IMAP analyzer (StartTLS only)

Events

imap_capabilities
Type:event (c: connection, capabilities: string_vec)

Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command.

C:The connection.
Capabilities:The list of IMAP capabilities as sent by the server.
imap_starttls
Type:event (c: connection)

Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server.

C:The connection.

Bro::InterConn

InterConn analyzer deprecated

Events

interconn_stats
Type:event (c: connection, os: interconn_endp_stats, rs: interconn_endp_stats)

Deprecated. Will be removed.

interconn_remove_conn
Type:event (c: connection)

Deprecated. Will be removed.

Bro::IRC

IRC analyzer

Events

irc_request
Type:event (c: connection, is_orig: bool, prefix: string, command: string, arguments: string)

Generated for all client-side IRC commands.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:Always true.
Prefix:The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Command:The command.
Arguments:The arguments for the command.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

Note

This event is generated only for messages that originate at the client-side. Commands coming in from remote trigger the irc_message event instead.

irc_reply
Type:event (c: connection, is_orig: bool, prefix: string, code: count, params: string)

Generated for all IRC replies. IRC replies are sent in response to a request and come with a reply code.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Prefix:The optional prefix coming with the reply. IRC uses the prefix to indicate the true origin of a message.
Code:The reply code, as specified by the protocol.
Params:The reply’s parameters.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_message
Type:event (c: connection, is_orig: bool, prefix: string, command: string, message: string)

Generated for IRC commands forwarded from the server to the client.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:Always false.
Prefix:The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Command:The command.
Message:TODO.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

Note

This event is generated only for messages that are forwarded by the server to the client. Commands coming from client trigger the irc_request event instead.

irc_quit_message
Type:event (c: connection, is_orig: bool, nick: string, message: string)

Generated for IRC messages of type quit. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Nick:The nickname coming with the message.
Message:The text included with the message.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_privmsg_message
Type:event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type privmsg. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Source:The source of the private communication.
Target:The target of the private communication.
Message:The text of communication.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_notice_message
Type:event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type notice. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Source:The source of the private communication.
Target:The target of the private communication.
Message:The text of communication.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_squery_message
Type:event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type squery. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Source:The source of the private communication.
Target:The target of the private communication.
Message:The text of communication.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_join_message
Type:event (c: connection, is_orig: bool, info_list: irc_join_list)

Generated for IRC messages of type join. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Info_list:The user information coming with the command.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_part_message
Type:event (c: connection, is_orig: bool, nick: string, chans: string_set, message: string)

Generated for IRC messages of type part. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Nick:The nickname coming with the message.
Chans:The set of channels affected.
Message:The text coming with the message.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_password_message

irc_nick_message
Type:event (c: connection, is_orig: bool, who: string, newnick: string)

Generated for IRC messages of type nick. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Who:The user changing its nickname.
Newnick:The new nickname.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_invalid_nick
Type:event (c: connection, is_orig: bool)

Generated when a server rejects an IRC nickname.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_network_info
Type:event (c: connection, is_orig: bool, users: count, services: count, servers: count)

Generated for an IRC reply of type luserclient.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Users:The number of users as returned in the reply.
Services:The number of services as returned in the reply.
Servers:The number of servers as returned in the reply.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_server_info
Type:event (c: connection, is_orig: bool, users: count, services: count, servers: count)

Generated for an IRC reply of type luserme.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Users:The number of users as returned in the reply.
Services:The number of services as returned in the reply.
Servers:The number of servers as returned in the reply.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_channel_info
Type:event (c: connection, is_orig: bool, chans: count)

Generated for an IRC reply of type luserchannels.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Chans:The number of channels as returned in the reply.

See also: irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_who_line
Type:event (c: connection, is_orig: bool, target_nick: string, channel: string, user: string, host: string, server: string, nick: string, params: string, hops: count, real_name: string)

Generated for an IRC reply of type whoreply.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Target_nick:The target nickname.
Channel:The channel.
User:The user.
Host:The host.
Server:The server.
Nick:The nickname.
Params:The parameters.
Hops:The hop count.
Real_name:The real name.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_names_info
Type:event (c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)

Generated for an IRC reply of type namereply.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
C_type:The channel type.
Channel:The channel.
Users:The set of users.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_whois_operator_line
Type:event (c: connection, is_orig: bool, nick: string)

Generated for an IRC reply of type whoisoperator.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Nick:The nickname specified in the reply.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_whois_channel_line
Type:event (c: connection, is_orig: bool, nick: string, chans: string_set)

Generated for an IRC reply of type whoischannels.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Nick:The nickname specified in the reply.
Chans:The set of channels returned.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_whois_user_line
Type:event (c: connection, is_orig: bool, nick: string, user: string, host: string, real_name: string)

Generated for an IRC reply of type whoisuser.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Nick:The nickname specified in the reply.
User:The user name specified in the reply.
Host:The host name specified in the reply.
Real_name:The real name specified in the reply.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_oper_response
Type:event (c: connection, is_orig: bool, got_oper: bool)

Generated for IRC replies of type youreoper and nooperhost.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Got_oper:True if the oper command was executed successfully (youreport) and false otherwise (nooperhost).

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_part_message, irc_password_message

irc_global_users
Type:event (c: connection, is_orig: bool, prefix: string, msg: string)

Generated for an IRC reply of type globalusers.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Prefix:The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Msg:The message coming with the reply.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_channel_topic
Type:event (c: connection, is_orig: bool, channel: string, topic: string)

Generated for an IRC reply of type topic.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Channel:The channel name specified in the reply.
Topic:The topic specified in the reply.

See also: irc_channel_info, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_who_message
Type:event (c: connection, is_orig: bool, mask: string, oper: bool)

Generated for IRC messages of type who. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Mask:The mask specified in the message.
Oper:True if the operator flag was set.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_whois_message
Type:event (c: connection, is_orig: bool, server: string, users: string)

Generated for IRC messages of type whois. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Server:TODO.
Users:TODO.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_oper_message
Type:event (c: connection, is_orig: bool, user: string, password: string)

Generated for IRC messages of type oper. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
User:The user specified in the message.
Password:The password specified in the message.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_response, irc_part_message, irc_password_message

irc_kick_message
Type:event (c: connection, is_orig: bool, prefix: string, chans: string, users: string, comment: string)

Generated for IRC messages of type kick. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Prefix:The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Chans:The channels specified in the message.
Users:The users specified in the message.
Comment:The comment specified in the message.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_error_message
Type:event (c: connection, is_orig: bool, prefix: string, message: string)

Generated for IRC messages of type error. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Prefix:The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Message:The textual description specified in the message.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_invite_message
Type:event (c: connection, is_orig: bool, prefix: string, nickname: string, channel: string)

Generated for IRC messages of type invite. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Prefix:The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Nickname:The nickname specified in the message.
Channel:The channel specified in the message.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_mode_message
Type:event (c: connection, is_orig: bool, prefix: string, params: string)

Generated for IRC messages of type mode. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Prefix:The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Params:The parameters coming with the message.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_squit_message
Type:event (c: connection, is_orig: bool, prefix: string, server: string, message: string)

Generated for IRC messages of type squit. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Prefix:The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Server:The server specified in the message.
Message:The textual description specified in the message.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_dcc_message
Type:event (c: connection, is_orig: bool, prefix: string, target: string, dcc_type: string, argument: string, address: addr, dest_port: count, size: count)

Generated for IRC messages of type dcc. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Prefix:The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Target:The target specified in the message.
Dcc_type:The DCC type specified in the message.
Argument:The argument specified in the message.
Address:The address specified in the message.
Dest_port:The destination port specified in the message.
Size:The size specified in the message.

See also: irc_channel_info, irc_channel_topic, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_user_message
Type:event (c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string)

Generated for IRC messages of type user. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
User:The user specified in the message.
Host:The host name specified in the message.
Server:The server name specified in the message.
Real_name:The real name specified in the message.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message, irc_password_message

irc_password_message
Type:event (c: connection, is_orig: bool, password: string)

Generated for IRC messages of type password. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C:The connection.
Is_orig:True if the command was sent by the originator of the TCP connection.
Password:The password specified in the message.

See also: irc_channel_info, irc_channel_topic, irc_dcc_message, irc_error_message, irc_global_users, irc_invalid_nick, irc_invite_message, irc_join_message, irc_kick_message, irc_message, irc_mode_message, irc_names_info, irc_network_info, irc_nick_message, irc_notice_message, irc_oper_message, irc_oper_response, irc_part_message

irc_starttls
Type:event (c: connection)

Generated if an IRC connection switched to TLS using STARTTLS. After this event no more IRC events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.

C:The connection.

Bro::KRB

Kerberos analyzer

Options/Constants

KRB::keytab
Type:string
Attributes:&redef
Default:""

Kerberos keytab file name. Used to decrypt tickets encountered on the wire.

Types

KRB::Error_Msg
Type:

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (30 for ERROR_MSG)

client_time: time &optional

Current time on the client

server_time: time

Current time on the server

error_code: count

The specific error code

client_realm: string &optional

Realm of the ticket

client_name: string &optional

Name on the ticket

service_realm: string

Realm of the service

service_name: string

Name of the service

error_text: string &optional

Additional text to explain the error

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

The data from the ERROR_MSG message. See RFC 4120.

KRB::SAFE_Msg
Type:

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (20 for SAFE_MSG)

data: string

The application-specific data that is being passed from the sender to the reciever

timestamp: time &optional

Current time from the sender of the message

seq: count &optional

Sequence number used to detect replays

sender: KRB::Host_Address &optional

Sender address

recipient: KRB::Host_Address &optional

Recipient address

The data from the SAFE message. See RFC 4120.

KRB::KDC_Options
Type:

record

forwardable: bool

The ticket to be issued should have its forwardable flag set.

forwarded: bool

A (TGT) request for forwarding.

proxiable: bool

The ticket to be issued should have its proxiable flag set.

proxy: bool

A request for a proxy.

allow_postdate: bool

The ticket to be issued should have its may-postdate flag set.

postdated: bool

A request for a postdated ticket.

renewable: bool

The ticket to be issued should have its renewable flag set.

opt_hardware_auth: bool

Reserved for opt_hardware_auth

disable_transited_check: bool

Request that the KDC not check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT.

renewable_ok: bool

If a ticket with the requested lifetime cannot be issued, a renewable ticket is acceptable

enc_tkt_in_skey: bool

The ticket for the end server is to be encrypted in the session key from the additional TGT provided

renew: bool

The request is for a renewal

validate: bool

The request is to validate a postdated ticket.

KDC Options. See RFC 4120

KRB::AP_Options
Type:

record

use_session_key: bool

Indicates that user-to-user-authentication is in use

mutual_required: bool

Mutual authentication is required

AP Options. See RFC 4120

KRB::Type_Value
Type:

record

data_type: count

The data type

val: string

The data value

Used in a few places in the Kerberos analyzer for elements that have a type and a string value.

KRB::Ticket
Type:

record

pvno: count

Protocol version number (5 for KRB5)

realm: string

Realm

service_name: string

Name of the service

cipher: count

Cipher the ticket was encrypted with

ciphertext: string &optional

Cipher text of the ticket

authenticationinfo: string &optional

Authentication info

A Kerberos ticket. See RFC 4120.

KRB::Ticket_Vector
Type:vector of KRB::Ticket
KRB::Host_Address
Type:

record

ip: addr &log &optional

IPv4 or IPv6 address

netbios: string &log &optional

NetBIOS address

unknown: KRB::Type_Value &optional

Some other type that we don’t support yet

A Kerberos host address See RFC 4120.

KRB::KDC_Request
Type:

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (10 for AS_REQ, 12 for TGS_REQ)

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

kdc_options: KRB::KDC_Options

Options specified in the request

client_name: string &optional

Name on the ticket

service_realm: string

Realm of the service

service_name: string &optional

Name of the service

from: time &optional

Time the ticket is good from

till: time

Time the ticket is good till

rtime: time &optional

The requested renew-till time

nonce: count

A random nonce generated by the client

encryption_types: vector of count

The desired encryption algorithms, in order of preference

host_addrs: vector of KRB::Host_Address &optional

Any additional addresses the ticket should be valid for

additional_tickets: vector of KRB::Ticket &optional

Additional tickets may be included for certain transactions

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

KRB::KDC_Response
Type:

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (11 for AS_REP, 13 for TGS_REP)

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

client_realm: string &optional

Realm on the ticket

client_name: string

Name on the service

ticket: KRB::Ticket

The ticket that was issued

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

Events

krb_as_request
Type:event (c: connection, msg: KRB::KDC_Request)

A Kerberos 5 Authentication Server (AS) Request as defined in RFC 4120. The AS request contains a username of the client requesting authentication, and returns an AS reply with an encrypted Ticket Granting Ticket (TGT) for that user. The TGT can then be used to request further tickets for other services.

See Wikipedia for more information about the Kerberos protocol.

C:The connection over which this Kerberos message was sent.
Msg:A Kerberos KDC request message data structure.

See also: krb_as_response, krb_tgs_request, krb_tgs_response, krb_ap_request, krb_ap_response, krb_priv, krb_safe, krb_cred, krb_error

krb_as_response
Type:event (c: connection, msg: KRB::KDC_Response)

A Kerberos 5 Authentication Server (AS) Response as defined in RFC 4120. Following the AS request for a user, an AS reply contains an encrypted Ticket Granting Ticket (TGT) for that user. The TGT can then be used to request further tickets for other services.

See Wikipedia for more information about the Kerberos protocol.

C:The connection over which this Kerberos message was sent.
Msg:A Kerberos KDC reply message data structure.

See also: krb_as_request, krb_tgs_request, krb_tgs_response, krb_ap_request, krb_ap_response, krb_priv, krb_safe, krb_cred, krb_error

krb_tgs_request
Type:event (c: connection, msg: KRB::KDC_Request)

A Kerberos 5 Ticket Granting Service (TGS) Request as defined in RFC 4120. Following the Authentication Server exchange, if successful, the client now has a Ticket Granting Ticket (TGT). To authenticate to a Kerberized service, the client requests a Service Ticket, which will be returned in the TGS reply.

See Wikipedia for more information about the Kerberos protocol.

C:The connection over which this Kerberos message was sent.
Msg:A Kerberos KDC request message data structure.

See also: krb_as_request, krb_as_response, krb_tgs_response, krb_ap_request, krb_ap_response, krb_priv, krb_safe, krb_cred, krb_error

krb_tgs_response
Type:event (c: connection, msg: KRB::KDC_Response)

A Kerberos 5 Ticket Granting Service (TGS) Response as defined in RFC 4120. This message returns a Service Ticket to the client, which is encrypted with the service’s long-term key, and which the client can use to authenticate to that service.

See Wikipedia for more information about the Kerberos protocol.

C:The connection over which this Kerberos message was sent.
Msg:A Kerberos KDC reply message data structure.

See also: krb_as_request, krb_as_response, krb_tgs_request, krb_ap_request, krb_ap_response, krb_priv, krb_safe, krb_cred, krb_error

krb_ap_request
Type:event (c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)

A Kerberos 5 Authentication Header (AP) Request as defined in RFC 4120. This message contains authentication information that should be part of the first message in an authenticated transaction.

See Wikipedia for more information about the Kerberos protocol.

C:The connection over which this Kerberos message was sent.
Ticket:The Kerberos ticket being used for authentication.
Opts:A Kerberos AP options data structure.

See also: krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, krb_ap_response, krb_priv, krb_safe, krb_cred, krb_error

krb_ap_response
Type:event (c: connection)

A Kerberos 5 Authentication Header (AP) Response as defined in RFC 4120. This is used if mutual authentication is desired. All of the interesting information in here is encrypted, so the event doesn’t have much useful data, but it’s provided in case it’s important to know that this message was sent.

See Wikipedia for more information about the Kerberos protocol.

C:The connection over which this Kerberos message was sent.

See also: krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, krb_ap_request, krb_priv, krb_safe, krb_cred, krb_error

krb_priv
Type:event (c: connection, is_orig: bool)

A Kerberos 5 Private Message as defined in RFC 4120. This is a private (encrypted) application message, so the event doesn’t have much useful data, but it’s provided in case it’s important to know that this message was sent.

See Wikipedia for more information about the Kerberos protocol.

C:The connection over which this Kerberos message was sent.
Is_orig:Whether the originator of the connection sent this message.

See also: krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, krb_ap_request, krb_ap_response, krb_safe, krb_cred, krb_error

krb_safe
Type:event (c: connection, is_orig: bool, msg: KRB::SAFE_Msg)

A Kerberos 5 Safe Message as defined in RFC 4120. This is a safe (checksummed) application message.

See Wikipedia for more information about the Kerberos protocol.

C:The connection over which this Kerberos message was sent.
Is_orig:Whether the originator of the connection sent this message.
Msg:A Kerberos SAFE message data structure.

See also: krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, krb_ap_request, krb_ap_response, krb_priv, krb_cred, krb_error

krb_cred
Type:event (c: connection, is_orig: bool, tickets: KRB::Ticket_Vector)

A Kerberos 5 Credential Message as defined in RFC 4120. This is a private (encrypted) message to forward credentials.

See Wikipedia for more information about the Kerberos protocol.

C:The connection over which this Kerberos message was sent.
Is_orig:Whether the originator of the connection sent this message.
Tickets:Tickets obtained from the KDC that are being forwarded.

See also: krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, krb_ap_request, krb_ap_response, krb_priv, krb_safe, krb_error

krb_error
Type:event (c: connection, msg: KRB::Error_Msg)

A Kerberos 5 Error Message as defined in RFC 4120.

See Wikipedia for more information about the Kerberos protocol.

C:The connection over which this Kerberos message was sent.
Msg:A Kerberos error message data structure.

See also: krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, krb_ap_request, krb_ap_response, krb_priv, krb_safe, krb_cred

Bro::Login

Telnet/Rsh/Rlogin analyzers

Events

rsh_request
Type:event (c: connection, client_user: string, server_user: string, line: string, new_session: bool)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

C:The connection.
Client_user:The client-side user name as sent in the initial protocol handshake.
Server_user:The server-side user name as sent in the initial protocol handshake.
Line:The command line sent in the request.
New_session:True if this is the first command of the Rsh session.

See also: rsh_reply, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

rsh_reply
Type:event (c: connection, client_user: string, server_user: string, line: string)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

C:The connection.
Client_user:The client-side user name as sent in the initial protocol handshake.
Server_user:The server-side user name as sent in the initial protocol handshake.
Line:The command line sent in the request.

See also: rsh_request, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

login_failure
Type:event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.

C:The connection.
User:The user name tried.
Client_user:For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).
Password:The password tried.
Line:The line of text that led the analyzer to conclude that the authentication had failed.

See also: login_confused, login_confused_text, login_display, login_input_line, login_output_line, login_prompt, login_success, login_terminal, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_success
Type:event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.

C:The connection.
User:The user name used.
Client_user:For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).
Password:The password used.
Line:The line of text that led the analyzer to conclude that the authentication had succeeded.

See also: login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_terminal, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_input_line
Type:event (c: connection, line: string)

Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

C:The connection.
Line:The input line.

See also: login_confused, login_confused_text, login_display, login_failure, login_output_line, login_prompt, login_success, login_terminal, rsh_request

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_output_line
Type:event (c: connection, line: string)

Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

C:The connection.
Line:The ouput line.

See also: login_confused, login_confused_text, login_display, login_failure, login_input_line, login_prompt, login_success, login_terminal, rsh_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_confused
Type:event (c: connection, msg: string, line: string)

Generated when tracking of Telnet/Rlogin authentication failed. As Bro’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.

C:The connection.
Msg:Gives the particular problem the heuristics detected (for example, multiple_login_prompts means that the engine saw several login prompts in a row, without the type-ahead from the client side presumed necessary to cause them)
Line:The line of text that caused the heuristics to conclude they were confused.

See also: login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_confused_text
Type:event (c: connection, line: string)

Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. The login analyzer generates this even for every line of user input after it has reported login_confused for a connection.

C:The connection.
Line:The line the user typed.

See also: login_confused, login_display, login_failure, login_input_line, login_output_line,