GLOBAL
¶Namespace: | GLOBAL |
---|---|
Source File: | /scripts/base/bif/plugins/Bro_POP3.events.bif.bro |
pop3_data : event |
Generated for server-side multi-line responses on POP3 connections. |
pop3_login_failure : event |
Generated for unsuccessful authentications on POP3 connections. |
pop3_login_success : event |
Generated for successful authentications on POP3 connections. |
pop3_reply : event |
Generated for server-side replies to commands on POP3 connections. |
pop3_request : event |
Generated for client-side commands on POP3 connections. |
pop3_starttls : event |
Generated when a POP3 connection goes encrypted. |
pop3_unexpected : event |
Generated for errors encountered on POP3 sessions. |
pop3_data
¶Type: | event (c: connection , is_orig: bool , data: string ) |
---|
Generated for server-side multi-line responses on POP3 connections. POP3 connections use multi-line responses to send bulk data, such as the actual mails. This event is generated once for each line that’s part of such a response.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | True if the data was sent by the originator of the TCP connection. |
Data: | The data sent. |
See also: pop3_login_failure
, pop3_login_success
, pop3_reply
, pop3_request
, pop3_unexpected
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_login_failure
¶Type: | event (c: connection , is_orig: bool , user: string , password: string ) |
---|
Generated for unsuccessful authentications on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | Always false. |
User: | The user name attempted for authentication. The event is only generated if a non-empty user name was used. |
Password: | The password attempted for authentication. |
See also: pop3_data
, pop3_login_success
, pop3_reply
, pop3_request
, pop3_unexpected
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_login_success
¶Type: | event (c: connection , is_orig: bool , user: string , password: string ) |
---|
Generated for successful authentications on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | Always false. |
User: | The user name used for authentication. The event is only generated if a non-empty user name was used. |
Password: | The password used for authentication. |
See also: pop3_data
, pop3_login_failure
, pop3_reply
, pop3_request
, pop3_unexpected
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_reply
¶Type: | event (c: connection , is_orig: bool , cmd: string , msg: string ) |
---|
Generated for server-side replies to commands on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Cmd: | The success indicator sent by the server. This corresponds to the
first token on the line sent, and should be either OK or ERR . |
Msg: | The textual description the server sent along with cmd. |
See also: pop3_data
, pop3_login_failure
, pop3_login_success
, pop3_request
, pop3_unexpected
Todo
This event is receiving odd parameters, should unify.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_request
¶Type: | event (c: connection , is_orig: bool , command: string , arg: string ) |
---|
Generated for client-side commands on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | True if the command was sent by the originator of the TCP connection. |
Command: | The command sent. |
Arg: | The argument to the command. |
See also: pop3_data
, pop3_login_failure
, pop3_login_success
, pop3_reply
, pop3_unexpected
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_starttls
¶Type: | event (c: connection ) |
---|
Generated when a POP3 connection goes encrypted. While POP3 is by default a clear-text protocol, extensions exist to switch to encryption. This event is generated if that happens and the analyzer then stops processing the connection.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|
See also: pop3_data
, pop3_login_failure
, pop3_login_success
, pop3_reply
, pop3_request
, pop3_unexpected
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
pop3_unexpected
¶Type: | event (c: connection , is_orig: bool , msg: string , detail: string ) |
---|
Generated for errors encountered on POP3 sessions. If the POP3 analyzer finds state transitions that do not conform to the protocol specification, or other situations it can’t handle, it raises this event.
See Wikipedia for more information about the POP3 protocol.
C: | The connection. |
---|---|
Is_orig: | True if the data was sent by the originator of the TCP connection. |
Msg: | A textual description of the situation. |
Detail: | The input that triggered the event. |
See also: pop3_data
, pop3_login_failure
, pop3_login_success
, pop3_reply
, pop3_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.