base/bif/plugins/Bro_NetBIOS.events.bif.bro

GLOBAL
Namespace:GLOBAL
Source File:/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro

Summary

Events

netbios_session_accepted: event Generated for NetBIOS messages of type positive session response.
netbios_session_keepalive: event Generated for NetBIOS messages of type keep-alive.
netbios_session_message: event Generated for all NetBIOS SSN and DGM messages.
netbios_session_raw_message: event Generated for NetBIOS messages of type session message that are not carrying an SMB payload.
netbios_session_rejected: event Generated for NetBIOS messages of type negative session response.
netbios_session_request: event Generated for NetBIOS messages of type session request.
netbios_session_ret_arg_resp: event Generated for NetBIOS messages of type retarget response.

Detailed Interface

Events

netbios_session_accepted
Type:event (c: connection, msg: string)

Generated for NetBIOS messages of type positive session response. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.

C:The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
Msg:The raw payload of the message sent, excluding the common NetBIOS header.

See also: netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, decode_netbios_name, decode_netbios_name_type

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_keepalive
Type:event (c: connection, msg: string)

Generated for NetBIOS messages of type keep-alive. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.

C:The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
Msg:The raw payload of the message sent, excluding the common NetBIOS header.

See also: netbios_session_accepted, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, decode_netbios_name, decode_netbios_name_type

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_message
Type:event (c: connection, is_orig: bool, msg_type: count, data_len: count)

Generated for all NetBIOS SSN and DGM messages. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.

C:The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
Is_orig:True if the message was sent by the originator of the connection.
Msg_type:The general type of message, as defined in Section 4.3.1 of RFC 1002.
Data_len:The length of the message’s payload.

See also: netbios_session_accepted, netbios_session_keepalive, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, decode_netbios_name, decode_netbios_name_type

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_raw_message
Type:event (c: connection, is_orig: bool, msg: string)

Generated for NetBIOS messages of type session message that are not carrying an SMB payload.

NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.

C:The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
Is_orig:True if the message was sent by the originator of the connection.
Msg:The raw payload of the message sent, excluding the common NetBIOS header (i.e., the user_data).

See also: netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, decode_netbios_name, decode_netbios_name_type

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

This is an oddly named event. In fact, it’s probably an odd event to have to begin with.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_rejected
Type:event (c: connection, msg: string)

Generated for NetBIOS messages of type negative session response. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.

C:The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
Msg:The raw payload of the message sent, excluding the common NetBIOS header.

See also: netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_request, netbios_session_ret_arg_resp, decode_netbios_name, decode_netbios_name_type

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_request
Type:event (c: connection, msg: string)

Generated for NetBIOS messages of type session request. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.

C:The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
Msg:The raw payload of the message sent, excluding the common NetBIOS header.

See also: netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_ret_arg_resp, decode_netbios_name, decode_netbios_name_type

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_ret_arg_resp
Type:event (c: connection, msg: string)

Generated for NetBIOS messages of type retarget response. Bro’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Bro parses.

C:The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
Msg:The raw payload of the message sent, excluding the common NetBIOS header.

See also: netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, decode_netbios_name, decode_netbios_name_type

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Bro’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

This is an oddly named event.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Copyright 2016, The Bro Project. Last updated on January 10, 2019. Created using Sphinx 1.7.5.