base/bif/plugins/Bro_DNS.events.bif.bro

GLOBAL
Namespace:GLOBAL
Source File:/scripts/base/bif/plugins/Bro_DNS.events.bif.bro

Summary

Events

dns_A6_reply: event Generated for DNS replies of type A6.
dns_AAAA_reply: event Generated for DNS replies of type AAAA.
dns_A_reply: event Generated for DNS replies of type A.
dns_CAA_reply: event Generated for DNS replies of type CAA (Certification Authority Authorization).
dns_CNAME_reply: event Generated for DNS replies of type CNAME.
dns_DNSKEY: event Generated for DNS replies of type DNSKEY.
dns_DS: event Generated for DNS replies of type DS.
dns_EDNS_addl: event Generated for DNS replies of type EDNS.
dns_HINFO_reply: event Generated for DNS replies of type HINFO.
dns_MX_reply: event Generated for DNS replies of type MX.
dns_NSEC: event Generated for DNS replies of type NSEC.
dns_NSEC3: event Generated for DNS replies of type NSEC3.
dns_NS_reply: event Generated for DNS replies of type NS.
dns_PTR_reply: event Generated for DNS replies of type PTR.
dns_RRSIG: event Generated for DNS replies of type RRSIG.
dns_SOA_reply: event Generated for DNS replies of type CNAME.
dns_SRV_reply: event Generated for DNS replies of type SRV.
dns_TSIG_addl: event Generated for DNS replies of type TSIG.
dns_TXT_reply: event Generated for DNS replies of type TXT.
dns_WKS_reply: event Generated for DNS replies of type WKS.
dns_end: event Generated at the end of processing a DNS packet.
dns_full_request: event Deprecated.
dns_message: event Generated for all DNS messages.
dns_query_reply: event Generated for each entry in the Question section of a DNS reply.
dns_rejected: event Generated for DNS replies that reject a query.
dns_request: event Generated for DNS requests.
dns_unknown_reply: event Generated on DNS reply resource records when the type of record is not one that Bro knows how to parse and generate another more specific event.
non_dns_request: event msg: The raw DNS payload.

Detailed Interface

Events

dns_A6_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
A:The address returned by the reply.

See also: dns_A_reply, dns_AAAA_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_AAAA_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
A:The address returned by the reply.

See also: dns_A_reply, dns_A6_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_A_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
A:The address returned by the reply.

See also: dns_AAAA_reply, dns_A6_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_CAA_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)

Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Flags:The flags byte of the CAA reply.
Tag:The property identifier of the CAA reply.
Value:The property value of the CAA reply.
dns_CNAME_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Name:The name returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_DNSKEY
Type:event (c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)

Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Dnskey:The parsed DNSKEY record.
dns_DS
Type:event (c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)

Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Ds:The parsed RDATA of DS record.
dns_EDNS_addl
Type:event (c: connection, msg: dns_msg, ans: dns_edns_additional)

Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The parsed EDNS reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_HINFO_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_MX_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count)

Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Name:The name returned by the reply.
Preference:The preference for name specified by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_NSEC
Type:event (c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)

Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Next_name:The parsed next secure domain name.
Bitmaps:vector of strings in hex for the bit maps present.
dns_NSEC3
Type:event (c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)

Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Nsec3:The parsed RDATA of Nsec3 record.
dns_NS_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Name:The name returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_PTR_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Name:The name returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_RRSIG
Type:event (c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)

Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Rrsig:The parsed RRSIG record.
dns_SOA_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Soa:The parsed SOA value.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_SRV_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count)

Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Target:Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot.
Priority:Priority of the SRV response – the priority of the target host, lower value means more preferred.
Weight:Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred.
P:Port of the SRV response – the TCP or UDP port on which the service is to be found.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_TSIG_addl
Type:event (c: connection, msg: dns_msg, ans: dns_tsig_additional)

Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The parsed TSIG reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_TXT_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.
Strs:The textual information returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_WKS_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_end
Type:event (c: connection, msg: dns_msg)

Generated at the end of processing a DNS packet. This event is the last dns_* event that will be raised for a DNS query/reply and signals that all resource records have been passed on.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_full_request
Type:event ()

Deprecated. Will be removed.

Todo

Unclear what this event is for; it’s never raised. We should just remove it.

dns_message
Type:event (c: connection, is_orig: bool, msg: dns_msg, len: count)

Generated for all DNS messages.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Is_orig:True if the message was sent by the originator of the connection.
Msg:The parsed DNS message header.
Len:The length of the message’s raw representation (i.e., the DNS payload).

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_query_reply, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_query_reply
Type:event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for each entry in the Question section of a DNS reply.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Query:The queried name.
Qtype:The queried resource record type.
Qclass:The queried resource record class.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_rejected, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_rejected
Type:event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Query:The queried name.
Qtype:The queried resource record type.
Qclass:The queried resource record class.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_request, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_request
Type:event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS requests. For requests with multiple queries, this event is raised once for each.

See Wikipedia for more information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Query:The queried name.
Qtype:The queried resource record type.
Qclass:The queried resource record class.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_full_request, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, non_dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_unknown_reply
Type:event (c: connection, msg: dns_msg, ans: dns_answer)

Generated on DNS reply resource records when the type of record is not one that Bro knows how to parse and generate another more specific event.

C:The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg:The parsed DNS message header.
Ans:The type-independent part of the parsed answer record.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_SRV_reply, dns_end

non_dns_request
Type:event (c: connection, msg: string)
Msg:The raw DNS payload.

Note

This event is deprecated and superseded by Bro’s dynamic protocol detection framework.


Table of Contents

Next Page

base/bif/plugins/Bro_File.events.bif.bro

Previous Page

base/bif/plugins/Bro_DNP3.events.bif.bro

Copyright 2016, The Bro Project. Last updated on January 10, 2019. Created using Sphinx 1.7.5.