base/init-bare.bro

Cluster
DCE_RPC
DHCP
GLOBAL
JSON
KRB
MOUNT3
NCP
NFS3
NTLM
PE
Pcap
RADIUS
RDP
Reporter
SMB
SMB1
SMB2
SNMP
SOCKS
SSH
SSL
Threading
Tunnel
Unified2
Weird
X509
Namespaces:Cluster, DCE_RPC, DHCP, GLOBAL, JSON, KRB, MOUNT3, NCP, NFS3, NTLM, PE, Pcap, RADIUS, RDP, Reporter, SMB, SMB1, SMB2, SNMP, SOCKS, SSH, SSL, Threading, Tunnel, Unified2, Weird, X509
Imports:base/bif/bro.bif.bro, base/bif/const.bif.bro, base/bif/event.bif.bro, base/bif/option.bif.bro, base/bif/plugins/Bro_KRB.types.bif.bro, base/bif/plugins/Bro_SNMP.types.bif.bro, base/bif/reporter.bif.bro, base/bif/stats.bif.bro, base/bif/strings.bif.bro, base/bif/types.bif.bro
Source File:/scripts/base/init-bare.bro

Summary

Runtime Options

Weird::sampling_duration: interval &redef How long a weird of a given type is allowed to keep state/counters in memory.
Weird::sampling_rate: count &redef The rate-limiting sampling rate.
Weird::sampling_threshold: count &redef How many weirds of a given type to tolerate before sampling begins.
Weird::sampling_whitelist: set &redef Prevents rate-limiting sampling of any weirds named in the table.
default_file_bof_buffer_size: count &redef Default amount of bytes that file analysis will buffer in order to use for mime type matching.
default_file_timeout_interval: interval &redef Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.

Redefinable Options

DCE_RPC::max_cmd_reassembly: count &redef The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.
DCE_RPC::max_frag_data: count &redef The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.
KRB::keytab: string &redef Kerberos keytab file name.
NCP::max_frame_size: count &redef The maximum number of bytes to allocate when parsing NCP frames.
NFS3::return_data: bool &redef If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.
NFS3::return_data_first_only: bool &redef If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.
NFS3::return_data_max: count &redef If NFS3::return_data is true, how much data should be returned at most.
Pcap::bufsize: count &redef Number of Mbytes to provide as buffer space when capturing from live interfaces.
Pcap::snaplen: count &redef Number of bytes per packet to capture from live interfaces.
Reporter::errors_to_stderr: bool &redef Tunable for sending reporter error messages to STDERR.
Reporter::info_to_stderr: bool &redef Tunable for sending reporter info messages to STDERR.
Reporter::warnings_to_stderr: bool &redef Tunable for sending reporter warning messages to STDERR.
SMB::pipe_filenames: set &redef A set of file names used as named pipes over SMB.
Threading::heartbeat_interval: interval &redef The heartbeat interval used by the threading framework.
Tunnel::delay_gtp_confirmation: bool &redef With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing protocol_confirmation.
Tunnel::delay_teredo_confirmation: bool &redef With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a protocol_confirmation.
Tunnel::enable_ayiya: bool &redef Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.
Tunnel::enable_gre: bool &redef Toggle whether to do GRE decapsulation.
Tunnel::enable_gtpv1: bool &redef Toggle whether to do GTPv1 decapsulation.
Tunnel::enable_ip: bool &redef Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.
Tunnel::enable_teredo: bool &redef Toggle whether to do IPv6-in-Teredo decapsulation.
Tunnel::ip_tunnel_timeout: interval &redef How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).
Tunnel::max_depth: count &redef The maximum depth of a tunnel to decapsulate until giving up.
backdoor_stat_backoff: double &redef Deprecated.
backdoor_stat_period: interval &redef Deprecated.
bits_per_uid: count &redef Number of bits in UIDs that are generated to identify connections and files.
check_for_unused_event_handlers: bool &redef If true, warns about unused event handlers at startup.
chunked_io_buffer_soft_cap: count &redef The number of IO chunks allowed to be buffered between the child and parent process of remote communication before Bro starts dropping connections to remote peers in an attempt to catch up.
cmd_line_bpf_filter: string &redef BPF filter the user has set via the -f command line options.
detect_filtered_trace: bool &redef Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections.
dns_resolver: addr &redef The address of the DNS resolver to use.
dns_session_timeout: interval &redef Time to wait before timing out a DNS request.
dpd_buffer_size: count &redef Size of per-connection buffer used for dynamic protocol detection.
dpd_ignore_ports: bool &redef If true, don’t consider any ports for deciding which protocol analyzer to use.
dpd_match_only_beginning: bool &redef If true, stops signature matching if dpd_buffer_size has been reached.
dpd_reassemble_first_packets: bool &redef Reassemble the beginning of all TCP connections before doing signature matching.
enable_syslog: bool &redef Deprecated.
encap_hdr_size: count &redef If positive, indicates the encapsulation header size that should be skipped.
exit_only_after_terminate: bool &redef Flag to prevent Bro from exiting automatically when input is exhausted.
expensive_profiling_multiple: count &redef Multiples of profiling_interval at which (more expensive) memory profiling is done (0 disables).
forward_remote_events: bool &redef If true, broadcast events received from one peer to all other peers.
forward_remote_state_changes: bool &redef If true, broadcast state updates received from one peer to all other peers.
frag_timeout: interval &redef How long to hold onto fragments for possible reassembly.
global_hash_seed: string &redef Seed for hashes computed internally for probabilistic data structures.
icmp_inactivity_timeout: interval &redef If an ICMP flow is inactive, time it out after this interval.
ignore_checksums: bool &redef If true, don’t verify checksums.
ignore_keep_alive_rexmit: bool &redef Ignore certain TCP retransmissions for conn_stats.
interconn_default_pkt_size: count &redef Deprecated.
interconn_max_interarrival: interval &redef Deprecated.
interconn_max_keystroke_pkt_size: count &redef Deprecated.
interconn_min_interarrival: interval &redef Deprecated.
interconn_stat_backoff: double &redef Deprecated.
interconn_stat_period: interval &redef Deprecated.
likely_server_ports: set &redef Ports which the core considers being likely used by servers.
log_encryption_key: string &redef Deprecated.
log_max_size: double &redef Deprecated.
log_rotate_base_time: string &redef Deprecated.
log_rotate_interval: interval &redef Deprecated.
max_files_in_cache: count &redef The maximum number of open files to keep cached at a given time.
max_remote_events_processed: count &redef With a similar trade-off, this gives the number of remote events to process in a batch before interleaving other activity.
max_timer_expires: count &redef The maximum number of timers to expire after processing each new packet.
mmdb_dir: string &redef The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.
non_analyzed_lifetime: interval &redef If a connection belongs to an application that we don’t analyze, time it out after this interval.
ntp_session_timeout: interval &redef Time to wait before timing out an NTP request.
old_comm_usage_is_ok: bool &redef Whether usage of the old communication system is considered an error or not.
packet_filter_default: bool &redef Default mode for Bro’s user-space dynamic packet filter.
partial_connection_ok: bool &redef If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.
passive_fingerprint_file: string &redef p0f fingerprint file to use.
peer_description: string &redef Description transmitted to remote communication peers for identification.
pkt_profile_freq: double &redef Frequency associated with packet profiling.
pkt_profile_mode: pkt_profile_modes &redef Output mode for packet profiling information.
profiling_interval: interval &redef Update interval for profiling (0 disables).
record_all_packets: bool &redef If a trace file is given with -w, dump all packets seen by Bro into it.
remote_check_sync_consistency: bool &redef Whether for &synchronized state to send the old value as a consistency check.
remote_trace_sync_interval: interval &redef Synchronize trace processing at a regular basis in pseudo-realtime mode.
remote_trace_sync_peers: count &redef Number of peers across which to synchronize trace processing in pseudo-realtime mode.
report_gaps_for_partial: bool &redef Whether we want content_gap for partial connections.
rpc_timeout: interval &redef Time to wait before timing out an RPC request.
segment_profiling: bool &redef If true, then write segment profiling information (very high volume!) in addition to profiling statistics.
sig_max_group_size: count &redef Maximum size of regular expression groups for signature matching.
skip_http_data: bool &redef Skip HTTP data for performance considerations.
ssl_ca_certificate: string &redef The CA certificate file to authorize remote Bros/Broccolis.
ssl_passphrase: string &redef The passphrase for our private key.
ssl_private_key: string &redef File containing our private key and our certificate.
state_dir: string &redef Specifies a directory for Bro to store its persistent state.
state_write_delay: interval &redef Length of the delays inserted when storing state incrementally.
stp_delta: interval &redef Internal to the stepping stone detector.
stp_idle_min: interval &redef Internal to the stepping stone detector.
suppress_local_output: bool &redef Deprecated.
table_expire_delay: interval &redef When expiring table entries, wait this amount of time before checking the next chunk of entries.
table_expire_interval: interval &redef Check for expired table entries after this amount of time.
table_incremental_step: count &redef When expiring/serializing table entries, don’t work on more than this many table entries at a time.
tcp_SYN_ack_ok: bool &redef If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if partial_connection_ok is false).
tcp_SYN_timeout: interval &redef Check up on the result of an initial SYN after this much time.
tcp_attempt_delay: interval &redef Wait this long upon seeing an initial SYN before timing out the connection attempt.
tcp_close_delay: interval &redef Upon seeing a normal connection close, flush state after this much time.
tcp_connection_linger: interval &redef When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long.
tcp_content_deliver_all_orig: bool &redef If true, all TCP originator-side traffic is reported via tcp_contents.
tcp_content_deliver_all_resp: bool &redef If true, all TCP responder-side traffic is reported via tcp_contents.
tcp_content_delivery_ports_orig: table &redef Defines destination TCP ports for which the contents of the originator stream should be delivered via tcp_contents.
tcp_content_delivery_ports_resp: table &redef Defines destination TCP ports for which the contents of the responder stream should be delivered via tcp_contents.
tcp_excessive_data_without_further_acks: count &redef If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff.
tcp_inactivity_timeout: interval &redef If a TCP connection is inactive, time it out after this interval.
tcp_match_undelivered: bool &redef If true, pass any undelivered to the signature engine before flushing the state.
tcp_max_above_hole_without_any_acks: count &redef If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection.
tcp_max_initial_window: count &redef Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks).
tcp_max_old_segments: count &redef Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies.
tcp_partial_close_delay: interval &redef Generate a connection_partial_close event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.
tcp_reassembler_ports_orig: set &redef For services without a handler, these sets define originator-side ports that still trigger reassembly.
tcp_reassembler_ports_resp: set &redef For services without a handler, these sets define responder-side ports that still trigger reassembly.
tcp_reset_delay: interval &redef Upon seeing a RST, flush state after this much time.
tcp_session_timer: interval &redef After a connection has closed, wait this long for further activity before checking whether to time out its state.
tcp_storm_interarrival_thresh: interval &redef FINs/RSTs must come with this much time or less between them to be considered a “storm”.
tcp_storm_thresh: count &redef Number of FINs/RSTs in a row that constitute a “storm”.
time_machine_profiling: bool &redef If true, output profiling for Time-Machine queries.
timer_mgr_inactivity_timeout: interval &redef Per-incident timer managers are drained after this amount of inactivity.
truncate_http_URI: int &redef Maximum length of HTTP URIs passed to events.
udp_content_deliver_all_orig: bool &redef If true, all UDP originator-side traffic is reported via udp_contents.
udp_content_deliver_all_resp: bool &redef If true, all UDP responder-side traffic is reported via udp_contents.
udp_content_delivery_ports_orig: table &redef Defines UDP destination ports for which the contents of the originator stream should be delivered via udp_contents.
udp_content_delivery_ports_resp: table &redef Defines UDP destination ports for which the contents of the responder stream should be delivered via udp_contents.
udp_inactivity_timeout: interval &redef If a UDP flow is inactive, time it out after this interval.
use_conn_size_analyzer: bool &redef Whether to use the ConnSize analyzer to count the number of packets and IP-level bytes transferred by each endpoint.
watchdog_interval: interval &redef Bro’s watchdog interval.

Constants

CONTENTS_BOTH: count Record both originator and responder contents.
CONTENTS_NONE: count Turn off recording of contents.
CONTENTS_ORIG: count Record originator contents.
CONTENTS_RESP: count Record responder contents.
DNS_ADDL: count An additional record.
DNS_ANS: count An answer record.
DNS_AUTH: count An authoritative record.
DNS_QUERY: count A query.
ENDIAN_BIG: count Big endian.
ENDIAN_CONFUSED: count Tried to determine endian, but failed.
ENDIAN_LITTLE: count Little endian.
ENDIAN_UNKNOWN: count Endian not yet determined.
ICMP_UNREACH_ADMIN_PROHIB: count Administratively prohibited.
ICMP_UNREACH_HOST: count Host unreachable.
ICMP_UNREACH_NEEDFRAG: count Fragment needed.
ICMP_UNREACH_NET: count Network unreachable.
ICMP_UNREACH_PORT: count Port unreachable.
ICMP_UNREACH_PROTOCOL: count Protocol unreachable.
IPPROTO_AH: count IPv6 authentication header.
IPPROTO_DSTOPTS: count IPv6 destination options header.
IPPROTO_ESP: count IPv6 encapsulating security payload header.
IPPROTO_FRAGMENT: count IPv6 fragment header.
IPPROTO_HOPOPTS: count IPv6 hop-by-hop-options header.
IPPROTO_ICMP: count Control message protocol.
IPPROTO_ICMPV6: count ICMP for IPv6.
IPPROTO_IGMP: count Group management protocol.
IPPROTO_IP: count Dummy for IP.
IPPROTO_IPIP: count IP encapsulation in IP.
IPPROTO_IPV6: count IPv6 header.
IPPROTO_MOBILITY: count IPv6 mobility header.
IPPROTO_NONE: count IPv6 no next header.
IPPROTO_RAW: count Raw IP packet.
IPPROTO_ROUTING: count IPv6 routing header.
IPPROTO_TCP: count TCP.
IPPROTO_UDP: count User datagram protocol.
LOGIN_STATE_AUTHENTICATE: count  
LOGIN_STATE_CONFUSED: count  
LOGIN_STATE_LOGGED_IN: count  
LOGIN_STATE_SKIP: count  
PEER_ID_NONE: count Place-holder constant indicating “no peer”.
REMOTE_LOG_ERROR: count Deprecated.
REMOTE_LOG_INFO: count Deprecated.
REMOTE_SRC_CHILD: count Message from the child process.
REMOTE_SRC_PARENT: count Message from the parent process.
REMOTE_SRC_SCRIPT: count Message from a policy script.
RPC_status: table Mapping of numerical RPC status codes to readable messages.
SNMP::OBJ_COUNTER32_TAG: count Unsigned 32-bit integer.
SNMP::OBJ_COUNTER64_TAG: count Unsigned 64-bit integer.
SNMP::OBJ_ENDOFMIBVIEW_TAG: count A NULL value.
SNMP::OBJ_INTEGER_TAG: count Signed 64-bit integer.
SNMP::OBJ_IPADDRESS_TAG: count An IP address.
SNMP::OBJ_NOSUCHINSTANCE_TAG: count A NULL value.
SNMP::OBJ_NOSUCHOBJECT_TAG: count A NULL value.
SNMP::OBJ_OCTETSTRING_TAG: count An octet string.
SNMP::OBJ_OID_TAG: count An Object Identifier.
SNMP::OBJ_OPAQUE_TAG: count An octet string.
SNMP::OBJ_TIMETICKS_TAG: count Unsigned 32-bit integer.
SNMP::OBJ_UNSIGNED32_TAG: count Unsigned 32-bit integer.
SNMP::OBJ_UNSPECIFIED_TAG: count A NULL value.
TCP_CLOSED: count Endpoint has closed connection.
TCP_ESTABLISHED: count Endpoint has finished initial handshake regularly.
TCP_INACTIVE: count Endpoint is still inactive.
TCP_PARTIAL: count Endpoint has sent data but no initial SYN.
TCP_RESET: count Endpoint has sent RST.
TCP_SYN_ACK_SENT: count Endpoint has sent SYN/ACK.
TCP_SYN_SENT: count Endpoint has sent SYN.
TH_ACK: count ACK.
TH_FIN: count FIN.
TH_FLAGS: count Mask combining all flags.
TH_PUSH: count PUSH.
TH_RST: count RST.
TH_SYN: count SYN.
TH_URG: count URG.
UDP_ACTIVE: count Endpoint has sent something.
UDP_INACTIVE: count Endpoint is still inactive.
trace_output_file: string Holds the filename of the trace file given with -w (empty if none).

State Variables

capture_filters: table &redef Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique).
direct_login_prompts: set &redef TODO.
discarder_maxlen: count &redef Maximum length of payload passed to discarder functions.
dns_max_queries: count &redef If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it.
dns_skip_addl: set &redef For DNS servers in these sets, omit processing the ADDL records they include in their replies.
dns_skip_all_addl: bool &redef If true, all DNS ADDL records are skipped.
dns_skip_all_auth: bool &redef If true, all DNS AUTH records are skipped.
dns_skip_auth: set &redef For DNS servers in these sets, omit processing the AUTH records they include in their replies.
done_with_network: bool  
generate_OS_version_event: set &redef Defines for which subnets we should do passive fingerprinting.
http_entity_data_delivery_size: count &redef Maximum number of HTTP entity data delivered to events.
interfaces: string &add_func = add_interface &redef Network interfaces to listen on.
irc_servers: set &redef Deprecated.
load_sample_freq: count &redef Rate at which to generate load_sample events.
login_failure_msgs: set &redef TODO.
login_non_failure_msgs: set &redef TODO.
login_prompts: set &redef TODO.
login_success_msgs: set &redef TODO.
login_timeouts: set &redef TODO.
mime_segment_length: count &redef The length of MIME data segments delivered to handlers of mime_segment_data.
mime_segment_overlap_length: count &redef The number of bytes of overlap between successive segments passed to mime_segment_data.
pkt_profile_file: file &redef File where packet profiles are logged.
profiling_file: file &redef Write profiling info into this file in regular intervals.
restrict_filters: table &redef Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).
secondary_filters: table &redef Definition of “secondary filters”.
signature_files: string &add_func = add_signature_file &redef Signature files to read.
skip_authentication: set &redef TODO.
stp_skip_src: set &redef Internal to the stepping stone detector.

Types

BrokerStats: record Statistics about Broker communication.
Cluster::Pool: record A pool used for distributing data/work among a set of cluster nodes.
ConnStats: record  
DHCP::Addrs: vector A list of addresses offered by a DHCP server.
DHCP::ClientFQDN: record DHCP Client FQDN Option information (Option 81)
DHCP::ClientID: record DHCP Client Identifier (Option 61) ..
DHCP::Msg: record A DHCP message.
DHCP::Options: record  
DHCP::SubOpt: record DHCP Relay Agent Information Option (Option 82) ..
DHCP::SubOpts: vector  
DNSStats: record Statistics related to Bro’s active use of DNS.
EncapsulatingConnVector: vector A type alias for a vector of encapsulating “connections”, i.e.
EventStats: record  
FileAnalysisStats: record Statistics of file analysis.
GapStats: record Statistics about number of gaps in TCP connections.
IPAddrAnonymization: enum Deprecated.
IPAddrAnonymizationClass: enum Deprecated.
JSON::TimestampFormat: enum  
KRB::AP_Options: record AP Options.
KRB::Error_Msg: record The data from the ERROR_MSG message.
KRB::Host_Address: record A Kerberos host address See RFC 4120.
KRB::Host_Address_Vector: vector  
KRB::KDC_Options: record KDC Options.
KRB::KDC_Request: record The data from the AS_REQ and TGS_REQ messages.
KRB::KDC_Response: record The data from the AS_REQ and TGS_REQ messages.
KRB::SAFE_Msg: record The data from the SAFE message.
KRB::Ticket: record A Kerberos ticket.
KRB::Ticket_Vector: vector  
KRB::Type_Value: record Used in a few places in the Kerberos analyzer for elements that have a type and a string value.
KRB::Type_Value_Vector: vector  
MOUNT3::dirmntargs_t: record MOUNT mnt arguments.
MOUNT3::info_t: record Record summarizing the general results and status of MOUNT3 request/reply pairs.
MOUNT3::mnt_reply_t: record MOUNT lookup reply.
MatcherStats: record Statistics of all regular expression matchers.
ModbusCoils: vector A vector of boolean values that indicate the setting for a range of modbus coils.
ModbusHeaders: record  
ModbusRegisters: vector A vector of count values that represent 16bit modbus register values.
NFS3::delobj_reply_t: record NFS reply for remove, rmdir.
NFS3::direntry_t: record NFS direntry.
NFS3::direntry_vec_t: vector Vector of NFS direntry.
NFS3::diropargs_t: record NFS readdir arguments.
NFS3::fattr_t: record NFS file attributes.
NFS3::fsstat_t: record NFS fsstat.
NFS3::info_t: record Record summarizing the general results and status of NFSv3 request/reply pairs.
NFS3::link_reply_t: record NFS link reply.
NFS3::linkargs_t: record NFS link arguments.
NFS3::lookup_reply_t: record NFS lookup reply.
NFS3::newobj_reply_t: record NFS reply for create, mkdir, and symlink.
NFS3::read_reply_t: record NFS read reply.
NFS3::readargs_t: record NFS read arguments.
NFS3::readdir_reply_t: record NFS readdir reply.
NFS3::readdirargs_t: record NFS readdir arguments.
NFS3::readlink_reply_t: record NFS readline reply.
NFS3::renameobj_reply_t: record NFS reply for rename.
NFS3::renameopargs_t: record NFS rename arguments.
NFS3::sattr_reply_t: record NFS sattr reply.
NFS3::sattr_t: record NFS file attributes.
NFS3::sattrargs_t: record NFS sattr arguments.
NFS3::symlinkargs_t: record NFS symlink arguments.
NFS3::symlinkdata_t: record NFS symlinkdata attributes.
NFS3::wcc_attr_t: record NFS wcc attributes.
NFS3::write_reply_t: record NFS write reply.
NFS3::writeargs_t: record NFS write arguments.
NTLM::AVs: record  
NTLM::Authenticate: record  
NTLM::Challenge: record  
NTLM::Negotiate: record  
NTLM::NegotiateFlags: record  
NTLM::Version: record  
NetStats: record Packet capture statistics.
OS_version: record Passive fingerprinting match.
OS_version_inference: enum Quality of passive fingerprinting matches.
PE::DOSHeader: record  
PE::FileHeader: record  
PE::OptionalHeader: record  
PE::SectionHeader: record Record for Portable Executable (PE) section headers.
PcapFilterID: enum Enum type identifying dynamic BPF filters.
ProcStats: record Statistics about Bro’s process.
RADIUS::AttributeList: vector  
RADIUS::Attributes: table  
RADIUS::Message: record  
RDP::ClientCoreData: record  
RDP::EarlyCapabilityFlags: record  
ReassemblerStats: record Holds statistics for all types of reassembly.
ReporterStats: record Statistics about reporter messages and weirds.
SMB1::Find_First2_Request_Args: record  
SMB1::Find_First2_Response_Args: record  
SMB1::Header: record An SMB1 header.
SMB1::NegotiateCapabilities: record  
SMB1::NegotiateRawMode: record  
SMB1::NegotiateResponse: record  
SMB1::NegotiateResponseCore: record  
SMB1::NegotiateResponseLANMAN: record  
SMB1::NegotiateResponseNTLM: record  
SMB1::NegotiateResponseSecurity: record  
SMB1::SessionSetupAndXCapabilities: record  
SMB1::SessionSetupAndXRequest: record  
SMB1::SessionSetupAndXResponse: record  
SMB1::Trans2_Args: record  
SMB1::Trans2_Sec_Args: record  
SMB1::Trans_Sec_Args: record  
SMB2::CloseResponse: record The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.
SMB2::CreateRequest: record The request sent by the client to request either creation of or access to a file.
SMB2::CreateResponse: record The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.
SMB2::FileAttrs: record A series of boolean flags describing basic and extended file attributes for SMB2.
SMB2::GUID: record An SMB2 globally unique identifier which identifies a file.
SMB2::Header: record An SMB2 header.
SMB2::NegotiateResponse: record The response to an SMB2 negotiate request, which is used by tghe client to notify the server what dialects of the SMB2 protocol the client understands.
SMB2::SessionSetupFlags: record A flags field that indicates additional information about the session that’s sent in the session_setup response.
SMB2::SessionSetupRequest: record The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
SMB2::SessionSetupResponse: record The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
SMB2::TreeConnectResponse: record The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.
SMB::MACTimes: record &log MAC times for a file.
SNMP::Binding: record The VarBind data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.
SNMP::Bindings: vector A VarBindList data structure from either RFC 1157 or RFC 3416.
SNMP::BulkPDU: record A BulkPDU data structure from RFC 3416.
SNMP::Header: record A generic SNMP header data structure that may include data from any version of SNMP.
SNMP::HeaderV1: record The top-level message data structure of an SNMPv1 datagram, not including the PDU data.
SNMP::HeaderV2: record The top-level message data structure of an SNMPv2 datagram, not including the PDU data.
SNMP::HeaderV3: record The top-level message data structure of an SNMPv3 datagram, not including the PDU data.
SNMP::ObjectValue: record A generic SNMP object value, that may include any of the valid ObjectSyntax values from RFC 1155 or RFC 3416.
SNMP::PDU: record A PDU data structure from either RFC 1157 or RFC 3416.
SNMP::ScopedPDU_Context: record The ScopedPduData data structure of an SNMPv3 datagram, not including the PDU data (i.e.
SNMP::TrapPDU: record A Trap-PDU data structure from RFC 1157.
SOCKS::Address: record &log This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.
SSH::Algorithm_Prefs: record The client and server each have some preferences for the algorithms used in each direction.
SSH::Capabilities: record This record lists the preferences of an SSH endpoint for algorithm selection.
SSL::SignatureAndHashAlgorithm: record  
SYN_packet: record Fields of a SYN packet.
ThreadStats: record Statistics about threads.
TimerStats: record Statistics of timers.
Tunnel::EncapsulatingConn: record &log Records the identity of an encapsulating parent of a tunneled connection.
Unified2::IDSEvent: record  
Unified2::Packet: record  
X509::BasicConstraints: record &log  
X509::Certificate: record  
X509::Extension: record  
X509::Result: record Result of an X509 certificate chain verification
X509::SubjectAlternativeName: record  
addr_set: set A set of addresses.
addr_vec: vector A vector of addresses.
any_vec: vector A vector of any, used by some builtin functions to store a list of varying types.
backdoor_endp_stats: record Deprecated.
bittorrent_benc_dir: table A table of BitTorrent “benc” values.
bittorrent_benc_value: record BitTorrent “benc” value.
bittorrent_peer: record A BitTorrent peer.
bittorrent_peer_set: set A set of BitTorrent peers.
bt_tracker_headers: table Header table type used by BitTorrent analyzer.
call_argument: record Meta-information about a parameter to a function/event.
call_argument_vector: vector Vector type used to capture parameters of a function/event call.
conn_id: record &log A connection’s identifying 4-tuple of endpoints and ports.
connection: record A connection.
count_set: set A set of counts.
dns_answer: record The general part of a DNS reply.
dns_dnskey_rr: record A DNSSEC DNSKEY record.
dns_ds_rr: record A DNSSEC DS record.
dns_edns_additional: record An additional DNS EDNS record.
dns_mapping: record  
dns_msg: record A DNS message.
dns_nsec3_rr: record A DNSSEC NSEC3 record.
dns_rrsig_rr: record A DNSSEC RRSIG record.
dns_soa: record A DNS SOA record.
dns_tsig_additional: record An additional DNS TSIG record.
endpoint: record Statistics about a connection endpoint.
endpoint_stats: record Statistics about what a TCP endpoint sent.
entropy_test_result: record Computed entropy values.
event_peer: record A communication peer.
fa_file: record &redef A file that Bro is analyzing.
fa_metadata: record Metadata that’s been inferred about a particular file.
files_tag_set: set A set of file analyzer tags.
flow_id: record &log The identifying 4-tuple of a uni-directional flow.
ftp_port: record A parsed host/port combination describing server endpoint for an upcoming data transfer.
geo_location: record &log GeoIP location information.
gtp_access_point_name: string  
gtp_cause: count  
gtp_charging_characteristics: count  
gtp_charging_gateway_addr: addr  
gtp_charging_id: count  
gtp_create_pdp_ctx_request_elements: record  
gtp_create_pdp_ctx_response_elements: record  
gtp_delete_pdp_ctx_request_elements: record  
gtp_delete_pdp_ctx_response_elements: record  
gtp_end_user_addr: record  
gtp_gsn_addr: record  
gtp_imsi: count  
gtp_msisdn: string  
gtp_nsapi: count  
gtp_omc_id: string  
gtp_private_extension: record  
gtp_proto_config_options: string  
gtp_qos_profile: record  
gtp_rai: record  
gtp_recovery: count  
gtp_reordering_required: bool  
gtp_selection_mode: count  
gtp_teardown_ind: bool  
gtp_teid1: count  
gtp_teid_control_plane: count  
gtp_tft: string  
gtp_trace_reference: count  
gtp_trace_type: count  
gtp_trigger_id: string  
gtp_update_pdp_ctx_request_elements: record  
gtp_update_pdp_ctx_response_elements: record  
gtpv1_hdr: record A GTPv1 (GPRS Tunneling Protocol) header.
http_message_stat: record HTTP message statistics.
http_stats_rec: record HTTP session statistics.
icmp6_nd_option: record Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.
icmp6_nd_options: vector A type alias for a vector of ICMPv6 neighbor discovery message options.
icmp6_nd_prefix_info: record Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.
icmp_conn: record Specifics about an ICMP conversation.
icmp_context: record Packet context part of an ICMP message.
icmp_hdr: record Values extracted from an ICMP header.
id_table: table Table type used to map script-level identifiers to meta-information describing them.
index_vec: vector A vector of counts, used by some builtin functions to store a list of indices.
interconn_endp_stats: record Deprecated.
ip4_hdr: record Values extracted from an IPv4 header.
ip6_ah: record Values extracted from an IPv6 Authentication extension header.
ip6_dstopts: record Values extracted from an IPv6 Destination options extension header.
ip6_esp: record Values extracted from an IPv6 ESP extension header.
ip6_ext_hdr: record A general container for a more specific IPv6 extension header.
ip6_ext_hdr_chain: vector A type alias for a vector of IPv6 extension headers.
ip6_fragment: record Values extracted from an IPv6 Fragment extension header.
ip6_hdr: record Values extracted from an IPv6 header.
ip6_hopopts: record Values extracted from an IPv6 Hop-by-Hop options extension header.
ip6_mobility_back: record Values extracted from an IPv6 Mobility Binding Acknowledgement message.
ip6_mobility_be: record Values extracted from an IPv6 Mobility Binding Error message.
ip6_mobility_brr: record Values extracted from an IPv6 Mobility Binding Refresh Request message.
ip6_mobility_bu: record Values extracted from an IPv6 Mobility Binding Update message.
ip6_mobility_cot: record Values extracted from an IPv6 Mobility Care-of Test message.
ip6_mobility_coti: record Values extracted from an IPv6 Mobility Care-of Test Init message.
ip6_mobility_hdr: record Values extracted from an IPv6 Mobility header.
ip6_mobility_hot: record Values extracted from an IPv6 Mobility Home Test message.
ip6_mobility_hoti: record Values extracted from an IPv6 Mobility Home Test Init message.
ip6_mobility_msg: record Values extracted from an IPv6 Mobility header’s message data.
ip6_option: record Values extracted from an IPv6 extension header’s (e.g.
ip6_options: vector A type alias for a vector of IPv6 options.
ip6_routing: record Values extracted from an IPv6 Routing extension header.
irc_join_info: record IRC join information.
irc_join_list: set Set of IRC join information.
l2_hdr: record Values extracted from the layer 2 header.
load_sample_info: set  
mime_header_list: table A list of MIME headers.
mime_header_rec: record A MIME header key/value pair.
mime_match: record A structure indicating a MIME type and strength of a match against file magic signatures.
mime_matches: vector A vector of file magic signature matches, ordered by strength of the signature, strongest first.
ntp_msg: record An NTP message.
packet: record Deprecated.
pcap_packet: record Policy-level representation of a packet passed on by libpcap.
peer_id: count A locally unique ID identifying a communication peer.
pkt_hdr: record A packet header, consisting of an IP header and transport-layer header.
pkt_profile_modes: enum Output modes for packet profiling information.
pm_callit_request: record An RPC portmapper callit request.
pm_mapping: record An RPC portmapper mapping.
pm_mappings: table Table of RPC portmapper mappings.
pm_port_request: record An RPC portmapper request.
raw_pkt_hdr: record A raw packet header, consisting of L2 header and everything in pkt_hdr.
record_field: record Meta-information about a record field.
record_field_table: table Table type used to map record field declarations to meta-information describing them.
rotate_info: record Deprecated.
script_id: record Meta-information about a script-level identifier.
signature_and_hashalgorithm_vec: vector A vector of Signature and Hash Algorithms.
signature_state: record Description of a signature match.
software: record  
software_version: record  
string_array: table An ordered array of strings.
string_set: set A set of strings.
string_vec: vector A vector of strings.
subnet_vec: vector A vector of subnets.
sw_align: record Helper type for return value of Smith-Waterman algorithm.
sw_align_vec: vector Helper type for return value of Smith-Waterman algorithm.
sw_params: record Parameters for the Smith-Waterman algorithm.
sw_substring: record Helper type for return value of Smith-Waterman algorithm.
sw_substring_vec: vector Return type for Smith-Waterman algorithm.
table_string_of_count: table A table of counts indexed by strings.
table_string_of_string: table A table of strings indexed by strings.
tcp_hdr: record Values extracted from a TCP header.
teredo_auth: record A Teredo origin indication header.
teredo_hdr: record A Teredo packet header.
teredo_origin: record A Teredo authentication header.
transport_proto: enum A connection’s transport-layer protocol.
udp_hdr: record Values extracted from a UDP header.
var_sizes: table Table type used to map variable names to their memory allocation.
x509_opaque_vector: vector A vector of x509 opaques.

Functions

add_interface: function Internal function.
add_signature_file: function Internal function.
discarder_check_icmp: function Function for skipping packets based on their ICMP header.
discarder_check_ip: function Function for skipping packets based on their IP header.
discarder_check_tcp: function Function for skipping packets based on their TCP header.
discarder_check_udp: function Function for skipping packets based on their UDP header.
log_file_name: function &redef Deprecated.
max_count: function Returns maximum of two count values.
max_double: function Returns maximum of two double values.
max_interval: function Returns maximum of two interval values.
min_count: function Returns minimum of two count values.
min_double: function Returns minimum of two double values.
min_interval: function Returns minimum of two interval values.
open_log_file: function &redef Deprecated.

Detailed Interface

Runtime Options

Weird::sampling_duration
Type:interval
Attributes:&redef
Default:10.0 mins

How long a weird of a given type is allowed to keep state/counters in memory. For “net” weirds an expiration timer starts per weird name when first initializing its counter. For “flow” weirds an expiration timer starts once per src/dst IP pair for the first weird of any name. For “conn” weirds, counters and expiration timers are kept for the duration of the connection for each named weird and reset when necessary. E.g. if a “conn” weird by the name of “foo” is seen more than Weird::sampling_threshold times, then an expiration timer begins for “foo” and upon triggering will reset the counter for “foo” and unthrottle its rate-limiting until it once again exceeds the threshold.

Weird::sampling_rate
Type:count
Attributes:&redef
Default:1000

The rate-limiting sampling rate. One out of every of this number of rate-limited weirds of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited weirds.

Weird::sampling_threshold
Type:count
Attributes:&redef
Default:25

How many weirds of a given type to tolerate before sampling begins. I.e. this many consecutive weirds of a given type will be allowed to raise events for script-layer handling before being rate-limited.

Weird::sampling_whitelist
Type:set [string]
Attributes:&redef
Default:{}

Prevents rate-limiting sampling of any weirds named in the table.

default_file_bof_buffer_size
Type:count
Attributes:&redef
Default:4096

Default amount of bytes that file analysis will buffer in order to use for mime type matching. File analyzers attached at the time of mime type matching or later, will receive a copy of this buffer.

default_file_timeout_interval
Type:interval
Attributes:&redef
Default:2.0 mins

Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.

Redefinable Options

DCE_RPC::max_cmd_reassembly
Type:count
Attributes:&redef
Default:20

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data
Type:count
Attributes:&redef
Default:30000

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

KRB::keytab
Type:string
Attributes:&redef
Default:""

Kerberos keytab file name. Used to decrypt tickets encountered on the wire.

NCP::max_frame_size
Type:count
Attributes:&redef
Default:65536

The maximum number of bytes to allocate when parsing NCP frames.

NFS3::return_data
Type:bool
Attributes:&redef
Default:F

If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.

See also: NFS3::return_data_max, NFS3::return_data_first_only

NFS3::return_data_first_only
Type:bool
Attributes:&redef
Default:T

If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.

NFS3::return_data_max
Type:count
Attributes:&redef
Default:512

If NFS3::return_data is true, how much data should be returned at most.

Pcap::bufsize
Type:count
Attributes:&redef
Default:128

Number of Mbytes to provide as buffer space when capturing from live interfaces.

Pcap::snaplen
Type:count
Attributes:&redef
Default:9216

Number of bytes per packet to capture from live interfaces.

Reporter::errors_to_stderr
Type:bool
Attributes:&redef
Default:T

Tunable for sending reporter error messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.

Reporter::info_to_stderr
Type:bool
Attributes:&redef
Default:T

Tunable for sending reporter info messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.

Reporter::warnings_to_stderr
Type:bool
Attributes:&redef
Default:T

Tunable for sending reporter warning messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.

SMB::pipe_filenames
Type:set [string]
Attributes:&redef
Default:
{
   "lsarpc",
   "wkssvc",
   "srvsvc",
   "MsFteWds",
   "samr",
   "netdfs",
   "spoolss",
   "winreg"
}

A set of file names used as named pipes over SMB. This only comes into play as a heuristic to identify named pipes when the drive mapping wasn’t seen by Bro.

See also: smb_pipe_connect_heuristic

Threading::heartbeat_interval
Type:interval
Attributes:&redef
Default:1.0 sec

The heartbeat interval used by the threading framework. Changing this should usually not be necessary and will break several tests.

Tunnel::delay_gtp_confirmation
Type:bool
Attributes:&redef
Default:F

With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing protocol_confirmation. If it’s false, the first occurrence of a packet with valid GTPv1 encapsulation causes confirmation. Since the same inner connection can be carried differing outer upflow/downflow connections, setting to false may work better.

Tunnel::delay_teredo_confirmation
Type:bool
Attributes:&redef
Default:T

With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a protocol_confirmation. If it’s false, the first occurrence of a packet with valid Teredo encapsulation causes a confirmation.

Tunnel::enable_ayiya
Type:bool
Attributes:&redef
Default:T

Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.

Tunnel::enable_gre
Type:bool
Attributes:&redef
Default:T

Toggle whether to do GRE decapsulation.

Tunnel::enable_gtpv1
Type:bool
Attributes:&redef
Default:T

Toggle whether to do GTPv1 decapsulation.

Tunnel::enable_ip
Type:bool
Attributes:&redef
Default:T

Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.

Tunnel::enable_teredo
Type:bool
Attributes:&redef
Default:T

Toggle whether to do IPv6-in-Teredo decapsulation.

Tunnel::ip_tunnel_timeout
Type:interval
Attributes:&redef
Default:1.0 day

How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).

Tunnel::max_depth
Type:count
Attributes:&redef
Default:2

The maximum depth of a tunnel to decapsulate until giving up. Setting this to zero will disable all types of tunnel decapsulation.

backdoor_stat_backoff
Type:double
Attributes:&redef

Deprecated.

backdoor_stat_period
Type:interval
Attributes:&redef

Deprecated.

bits_per_uid
Type:count
Attributes:&redef
Default:96

Number of bits in UIDs that are generated to identify connections and files. The larger the value, the more confidence in UID uniqueness. The maximum is currently 128 bits.

check_for_unused_event_handlers
Type:bool
Attributes:&redef
Default:F

If true, warns about unused event handlers at startup.

chunked_io_buffer_soft_cap
Type:count
Attributes:&redef
Default:800000

The number of IO chunks allowed to be buffered between the child and parent process of remote communication before Bro starts dropping connections to remote peers in an attempt to catch up.

cmd_line_bpf_filter
Type:string
Attributes:&redef
Default:""

BPF filter the user has set via the -f command line options. Empty if none.

detect_filtered_trace
Type:bool
Attributes:&redef
Default:F

Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections. If this is enabled, then missing data at the end of connections may not be reported via content_gap.

dns_resolver
Type:addr
Attributes:&redef
Default:::

The address of the DNS resolver to use. If not changed from the unspecified address, [::], the first nameserver from /etc/resolv.conf gets used (IPv6 is currently only supported if set via this option, not when parsed from the file).

dns_session_timeout
Type:interval
Attributes:&redef
Default:10.0 secs

Time to wait before timing out a DNS request.

dpd_buffer_size
Type:count
Attributes:&redef
Default:1024

Size of per-connection buffer used for dynamic protocol detection. For each connection, Bro buffers this initial amount of payload in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.

See also: dpd_reassemble_first_packets, dpd_match_only_beginning, dpd_ignore_ports

dpd_ignore_ports
Type:bool
Attributes:&redef
Default:F

If true, don’t consider any ports for deciding which protocol analyzer to use.

See also: dpd_reassemble_first_packets, dpd_buffer_size, dpd_match_only_beginning

dpd_match_only_beginning
Type:bool
Attributes:&redef
Default:T

If true, stops signature matching if dpd_buffer_size has been reached.

See also: dpd_reassemble_first_packets, dpd_buffer_size, dpd_ignore_ports

Note

Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.

dpd_reassemble_first_packets
Type:bool
Attributes:&redef
Default:T

Reassemble the beginning of all TCP connections before doing signature matching. Enabling this provides more accurate matching at the expense of CPU cycles.

See also: dpd_buffer_size, dpd_match_only_beginning, dpd_ignore_ports

Note

Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.

enable_syslog
Type:bool
Attributes:&redef
Default:F

Deprecated. No longer functional.

encap_hdr_size
Type:count
Attributes:&redef
Default:0

If positive, indicates the encapsulation header size that should be skipped. This applies to all packets.

exit_only_after_terminate
Type:bool
Attributes:&redef
Default:F

Flag to prevent Bro from exiting automatically when input is exhausted. Normally Bro terminates when all packet sources have gone dry and communication isn’t enabled. If this flag is set, Bro’s main loop will instead keep idling until terminate is explicitly called.

This is mainly for testing purposes when termination behaviour needs to be controlled for reproducing results.

expensive_profiling_multiple
Type:count
Attributes:&redef
Default:20

Multiples of profiling_interval at which (more expensive) memory profiling is done (0 disables).

See also: profiling_interval, profiling_file, segment_profiling

forward_remote_events
Type:bool
Attributes:&redef
Default:F

If true, broadcast events received from one peer to all other peers.

See also: forward_remote_state_changes

Note

This option is only temporary and will disappear once we get a more sophisticated script-level communication framework.

forward_remote_state_changes
Type:bool
Attributes:&redef
Default:F

If true, broadcast state updates received from one peer to all other peers.

See also: forward_remote_events

Note

This option is only temporary and will disappear once we get a more sophisticated script-level communication framework.

frag_timeout
Type:interval
Attributes:&redef
Default:5.0 mins

How long to hold onto fragments for possible reassembly. A value of 0.0 means “forever”, which resists evasion, but can lead to state accrual.

global_hash_seed
Type:string
Attributes:&redef
Default:""

Seed for hashes computed internally for probabilistic data structures. Using the same value here will make the hashes compatible between independent Bro instances. If left unset, Bro will use a temporary local seed.

icmp_inactivity_timeout
Type:interval
Attributes:&redef
Default:1.0 min

If an ICMP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: tcp_inactivity_timeout, udp_inactivity_timeout, set_inactivity_timeout

ignore_checksums
Type:bool
Attributes:&redef
Default:F

If true, don’t verify checksums. Useful for running on altered trace files, and for saving a few cycles, but at the risk of analyzing invalid data. Note that the -C command-line option overrides the setting of this variable.

ignore_keep_alive_rexmit
Type:bool
Attributes:&redef
Default:F

Ignore certain TCP retransmissions for conn_stats. Some connections (e.g., SSH) retransmit the acknowledged last byte to keep the connection alive. If ignore_keep_alive_rexmit is set to true, such retransmissions will be excluded in the rexmit counter in conn_stats.

See also: conn_stats

interconn_default_pkt_size
Type:count
Attributes:&redef

Deprecated.

interconn_max_interarrival
Type:interval
Attributes:&redef

Deprecated.

interconn_max_keystroke_pkt_size
Type:count
Attributes:&redef

Deprecated.

interconn_min_interarrival
Type:interval
Attributes:&redef

Deprecated.

interconn_stat_backoff
Type:double
Attributes:&redef

Deprecated.

interconn_stat_period
Type:interval
Attributes:&redef

Deprecated.

likely_server_ports
Type:set [port]
Attributes:&redef
Default:
{
   88/udp,
   8000/tcp,
   631/tcp,
   81/tcp,
   992/tcp,
   585/tcp,
   21/tcp,
   8888/tcp,
   20000/udp,
   6669/tcp,
   25/tcp,
   3389/tcp,
   20000/tcp,
   53/tcp,
   514/udp,
   6668/tcp,
   563/tcp,
   53/udp,
   67/udp,
   614/tcp,
   5223/tcp,
   2811/tcp,
   587/tcp,
   137/udp,
   5269/tcp,
   993/tcp,
   8080/tcp,
   80/tcp,
   5355/udp,
   5353/udp,
   6666/tcp,
   5060/udp,
   143/tcp,
   990/tcp,
   22/tcp,
   139/tcp,
   443/udp,
   636/tcp,
   135/tcp,
   445/tcp,
   3544/udp,
   2152/udp,
   2123/udp,
   88/tcp,
   6667/tcp,
   1812/udp,
   162/udp,
   5222/tcp,
   3128/tcp,
   995/tcp,
   1080/tcp,
   989/tcp,
   443/tcp,
   161/udp,
   5072/udp,
   502/tcp
}

Ports which the core considers being likely used by servers. For ports in this set, it may heuristically decide to flip the direction of the connection if it misses the initial handshake.

log_encryption_key
Type:string
Attributes:&redef
Default:"<undefined>"

Deprecated.

log_max_size
Type:double
Attributes:&redef
Default:0.0

Deprecated.

log_rotate_base_time
Type:string
Attributes:&redef
Default:"0:00"

Deprecated.

log_rotate_interval
Type:interval
Attributes:&redef
Default:0 secs

Deprecated.

max_files_in_cache
Type:count
Attributes:&redef
Default:0

The maximum number of open files to keep cached at a given time. If set to zero, this is automatically determined by inspecting the current/maximum limit on open files for the process.

max_remote_events_processed
Type:count
Attributes:&redef
Default:10

With a similar trade-off, this gives the number of remote events to process in a batch before interleaving other activity.

max_timer_expires
Type:count
Attributes:&redef
Default:300

The maximum number of timers to expire after processing each new packet. The value trades off spreading out the timer expiration load with possibly having to hold state longer. A value of 0 means “process all expired timers with each new packet”.

mmdb_dir
Type:string
Attributes:&redef
Default:""

The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.

non_analyzed_lifetime
Type:interval
Attributes:&redef
Default:0 secs

If a connection belongs to an application that we don’t analyze, time it out after this interval. If 0 secs, then don’t time it out (but tcp_inactivity_timeout, udp_inactivity_timeout, and icmp_inactivity_timeout still apply).

ntp_session_timeout
Type:interval
Attributes:&redef
Default:5.0 mins

Time to wait before timing out an NTP request.

old_comm_usage_is_ok
Type:bool
Attributes:&redef
Default:F

Whether usage of the old communication system is considered an error or not. The default Bro configuration no longer works with the non-Broker communication system unless you have manually taken action to initialize and set up the old comm. system. Deprecation warnings are still emitted when setting this flag, but they will not result in a fatal error.

packet_filter_default
Type:bool
Attributes:&redef
Default:F

Default mode for Bro’s user-space dynamic packet filter. If true, packets that aren’t explicitly allowed through, are dropped from any further processing.

Note

This is not the BPF packet filter but an additional dynamic filter that Bro optionally applies just before normal processing starts.

See also: install_dst_addr_filter, install_dst_net_filter, install_src_addr_filter, install_src_net_filter, uninstall_dst_addr_filter, uninstall_dst_net_filter, uninstall_src_addr_filter, uninstall_src_net_filter

partial_connection_ok
Type:bool
Attributes:&redef
Default:T

If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.

passive_fingerprint_file
Type:string
Attributes:&redef
Default:"base/misc/p0f.fp"

p0f fingerprint file to use. Will be searched relative to BROPATH.

peer_description
Type:string
Attributes:&redef
Default:"bro"

Description transmitted to remote communication peers for identification.

pkt_profile_freq
Type:double
Attributes:&redef
Default:0.0

Frequency associated with packet profiling.

See also: pkt_profile_modes, pkt_profile_mode, pkt_profile_file

pkt_profile_mode
Type:pkt_profile_modes
Attributes:&redef
Default:PKT_PROFILE_MODE_NONE

Output mode for packet profiling information.

See also: pkt_profile_modes, pkt_profile_freq, pkt_profile_file

profiling_interval
Type:interval
Attributes:&redef
Default:15.0 secs

Update interval for profiling (0 disables). The easiest way to activate profiling is loading policy/misc/profiling.bro.

See also: profiling_file, expensive_profiling_multiple, segment_profiling

record_all_packets
Type:bool
Attributes:&redef
Default:F

If a trace file is given with -w, dump all packets seen by Bro into it. By default, Bro applies (very few) heuristics to reduce the volume. A side effect of setting this to true is that we can write the packets out before we actually process them, which can be helpful for debugging in case the analysis triggers a crash.

See also: trace_output_file

remote_check_sync_consistency
Type:bool
Attributes:&redef
Default:F

Whether for &synchronized state to send the old value as a consistency check.

remote_trace_sync_interval
Type:interval
Attributes:&redef
Default:0 secs

Synchronize trace processing at a regular basis in pseudo-realtime mode.

See also: remote_trace_sync_peers

remote_trace_sync_peers
Type:count
Attributes:&redef
Default:0

Number of peers across which to synchronize trace processing in pseudo-realtime mode.

See also: remote_trace_sync_interval

report_gaps_for_partial
Type:bool
Attributes:&redef
Default:F

Whether we want content_gap for partial connections. A connection is partial if it is missing a full handshake. Note that gap reports for partial connections might not be reliable.

See also: content_gap, partial_connection

rpc_timeout
Type:interval
Attributes:&redef
Default:24.0 secs

Time to wait before timing out an RPC request.

segment_profiling
Type:bool
Attributes:&redef
Default:F

If true, then write segment profiling information (very high volume!) in addition to profiling statistics.

See also: profiling_interval, expensive_profiling_multiple, profiling_file

sig_max_group_size
Type:count
Attributes:&redef
Default:50

Maximum size of regular expression groups for signature matching.

skip_http_data
Type:bool
Attributes:&redef
Default:F

Skip HTTP data for performance considerations. The skipped portion will not go through TCP reassembly.

See also: http_entity_data, skip_http_entity_data, http_entity_data_delivery_size

ssl_ca_certificate
Type:string
Attributes:&redef
Default:"<undefined>"

The CA certificate file to authorize remote Bros/Broccolis.

See also: ssl_private_key, ssl_passphrase

ssl_passphrase
Type:string
Attributes:&redef
Default:"<undefined>"

The passphrase for our private key. Keeping this undefined causes Bro to prompt for the passphrase.

See also: ssl_private_key, ssl_ca_certificate

ssl_private_key
Type:string
Attributes:&redef
Default:"<undefined>"

File containing our private key and our certificate.

See also: ssl_ca_certificate, ssl_passphrase

state_dir
Type:string
Attributes:&redef
Default:".state"

Specifies a directory for Bro to store its persistent state. All globals can be declared persistent via the &persistent attribute.

state_write_delay
Type:interval
Attributes:&redef
Default:10.0 msecs

Length of the delays inserted when storing state incrementally. To avoid dropping packets when serializing larger volumes of persistent state to disk, Bro interleaves the operation with continued packet processing.

stp_delta
Type:interval
Attributes:&redef

Internal to the stepping stone detector.

stp_idle_min
Type:interval
Attributes:&redef

Internal to the stepping stone detector.

suppress_local_output
Type:bool
Attributes:&redef
Default:F

Deprecated.

table_expire_delay
Type:interval
Attributes:&redef
Default:10.0 msecs

When expiring table entries, wait this amount of time before checking the next chunk of entries.

See also: table_expire_interval, table_incremental_step

table_expire_interval
Type:interval
Attributes:&redef
Default:10.0 secs

Check for expired table entries after this amount of time.

See also: table_incremental_step, table_expire_delay

table_incremental_step
Type:count
Attributes:&redef
Default:5000

When expiring/serializing table entries, don’t work on more than this many table entries at a time.

See also: table_expire_interval, table_expire_delay

tcp_SYN_ack_ok
Type:bool
Attributes:&redef
Default:T

If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if partial_connection_ok is false).

tcp_SYN_timeout
Type:interval
Attributes:&redef
Default:5.0 secs

Check up on the result of an initial SYN after this much time.

tcp_attempt_delay
Type:interval
Attributes:&redef
Default:5.0 secs

Wait this long upon seeing an initial SYN before timing out the connection attempt.

tcp_close_delay
Type:interval
Attributes:&redef
Default:5.0 secs

Upon seeing a normal connection close, flush state after this much time.

tcp_connection_linger
Type:interval
Attributes:&redef
Default:5.0 secs

When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long. Complain if the connection is reused before this much time has elapsed.

tcp_content_deliver_all_orig
Type:bool
Attributes:&redef
Default:F

If true, all TCP originator-side traffic is reported via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_deliver_all_resp
Type:bool
Attributes:&redef
Default:F

If true, all TCP responder-side traffic is reported via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_delivery_ports_orig
Type:table [port] of bool
Attributes:&redef
Default:{}

Defines destination TCP ports for which the contents of the originator stream should be delivered via tcp_contents.

See also: tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_delivery_ports_resp
Type:table [port] of bool
Attributes:&redef
Default:{}

Defines destination TCP ports for which the contents of the responder stream should be delivered via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_excessive_data_without_further_acks
Type:count
Attributes:&redef
Default:10485760

If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff. If set to zero, then we don’t ever give up. Ideally, Bro would track the current window on a connection and use it to infer that data has in fact gone too far, but for now we just make this quite beefy.

See also: tcp_max_initial_window, tcp_max_above_hole_without_any_acks

tcp_inactivity_timeout
Type:interval
Attributes:&redef
Default:5.0 mins

If a TCP connection is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: udp_inactivity_timeout, icmp_inactivity_timeout, set_inactivity_timeout

tcp_match_undelivered
Type:bool
Attributes:&redef
Default:T

If true, pass any undelivered to the signature engine before flushing the state. If a connection state is removed, there may still be some data waiting in the reassembler.

tcp_max_above_hole_without_any_acks
Type:count
Attributes:&redef
Default:16384

If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection. If set to zero, then we don’t ever give up.

See also: tcp_max_initial_window, tcp_excessive_data_without_further_acks

tcp_max_initial_window
Type:count
Attributes:&redef
Default:16384

Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks). Used to determine whether we must not be seeing our peer’s ACKs. Set to zero to turn off this determination.

See also: tcp_max_above_hole_without_any_acks, tcp_excessive_data_without_further_acks

tcp_max_old_segments
Type:count
Attributes:&redef
Default:0

Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies. Zero disables any additonal buffering.

tcp_partial_close_delay
Type:interval
Attributes:&redef
Default:3.0 secs

Generate a connection_partial_close event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.

tcp_reassembler_ports_orig
Type:set [port]
Attributes:&redef
Default:{}

For services without a handler, these sets define originator-side ports that still trigger reassembly.

See also: tcp_reassembler_ports_resp

tcp_reassembler_ports_resp
Type:set [port]
Attributes:&redef
Default:{}

For services without a handler, these sets define responder-side ports that still trigger reassembly.

See also: tcp_reassembler_ports_orig

tcp_reset_delay
Type:interval
Attributes:&redef
Default:5.0 secs

Upon seeing a RST, flush state after this much time.

tcp_session_timer
Type:interval
Attributes:&redef
Default:6.0 secs

After a connection has closed, wait this long for further activity before checking whether to time out its state.

tcp_storm_interarrival_thresh
Type:interval
Attributes:&redef
Default:1.0 sec

FINs/RSTs must come with this much time or less between them to be considered a “storm”.

See also: tcp_storm_thresh

tcp_storm_thresh
Type:count
Attributes:&redef
Default:1000

Number of FINs/RSTs in a row that constitute a “storm”. Storms are reported as weird via the notice framework, and they must also come within intervals of at most tcp_storm_interarrival_thresh.

See also: tcp_storm_interarrival_thresh

time_machine_profiling
Type:bool
Attributes:&redef
Default:F

If true, output profiling for Time-Machine queries.

timer_mgr_inactivity_timeout
Type:interval
Attributes:&redef
Default:1.0 min

Per-incident timer managers are drained after this amount of inactivity.

truncate_http_URI
Type:int
Attributes:&redef
Default:-1

Maximum length of HTTP URIs passed to events. Longer ones will be truncated to prevent over-long URIs (usually sent by worms) from slowing down event processing. A value of -1 means “do not truncate”.

See also: http_request

udp_content_deliver_all_orig
Type:bool
Attributes:&redef
Default:F

If true, all UDP originator-side traffic is reported via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp tcp_content_delivery_ports_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_resp, udp_contents

udp_content_deliver_all_resp
Type:bool
Attributes:&redef
Default:F

If true, all UDP responder-side traffic is reported via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp tcp_content_delivery_ports_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_contents

udp_content_delivery_ports_orig
Type:table [port] of bool
Attributes:&redef
Default:{}

Defines UDP destination ports for which the contents of the originator stream should be delivered via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, udp_contents

udp_content_delivery_ports_resp
Type:table [port] of bool
Attributes:&redef
Default:{}

Defines UDP destination ports for which the contents of the responder stream should be delivered via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_deliver_all_orig, udp_content_deliver_all_resp, udp_contents

udp_inactivity_timeout
Type:interval
Attributes:&redef
Default:1.0 min

If a UDP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: tcp_inactivity_timeout, icmp_inactivity_timeout, set_inactivity_timeout

use_conn_size_analyzer
Type:bool
Attributes:&redef
Default:T

Whether to use the ConnSize analyzer to count the number of packets and IP-level bytes transferred by each endpoint. If true, these values are returned in the connection’s endpoint record value.

watchdog_interval
Type:interval
Attributes:&redef
Default:10.0 secs

Bro’s watchdog interval.

Constants

CONTENTS_BOTH
Type:count
Default:3

Record both originator and responder contents.

CONTENTS_NONE
Type:count
Default:0

Turn off recording of contents.

CONTENTS_ORIG
Type:count
Default:1

Record originator contents.

CONTENTS_RESP
Type:count
Default:2

Record responder contents.

DNS_ADDL
Type:count
Default:3

An additional record.

DNS_ANS
Type:count
Default:1

An answer record.

DNS_AUTH
Type:count
Default:2

An authoritative record.

DNS_QUERY
Type:count
Default:0

A query. This shouldn’t occur, just for completeness.

ENDIAN_BIG
Type:count
Default:2

Big endian.

ENDIAN_CONFUSED
Type:count
Default:3

Tried to determine endian, but failed.

ENDIAN_LITTLE
Type:count
Default:1

Little endian.

ENDIAN_UNKNOWN
Type:count
Default:0

Endian not yet determined.

ICMP_UNREACH_ADMIN_PROHIB
Type:count
Default:13

Administratively prohibited.

ICMP_UNREACH_HOST
Type:count
Default:1

Host unreachable.

ICMP_UNREACH_NEEDFRAG
Type:count
Default:4

Fragment needed.

ICMP_UNREACH_NET
Type:count
Default:0

Network unreachable.

ICMP_UNREACH_PORT
Type:count
Default:3

Port unreachable.

ICMP_UNREACH_PROTOCOL
Type:count
Default:2

Protocol unreachable.

IPPROTO_AH
Type:count
Default:51

IPv6 authentication header.

IPPROTO_DSTOPTS
Type:count
Default:60

IPv6 destination options header.

IPPROTO_ESP
Type:count
Default:50

IPv6 encapsulating security payload header.

IPPROTO_FRAGMENT
Type:count
Default:44

IPv6 fragment header.

IPPROTO_HOPOPTS
Type:count
Default:0

IPv6 hop-by-hop-options header.

IPPROTO_ICMP
Type:count
Default:1

Control message protocol.

IPPROTO_ICMPV6
Type:count
Default:58

ICMP for IPv6.

IPPROTO_IGMP
Type:count
Default:2

Group management protocol.

IPPROTO_IP
Type:count
Default:0

Dummy for IP.

IPPROTO_IPIP
Type:count
Default:4

IP encapsulation in IP.

IPPROTO_IPV6
Type:count
Default:41

IPv6 header.

IPPROTO_MOBILITY
Type:count
Default:135

IPv6 mobility header.

IPPROTO_NONE
Type:count
Default:59

IPv6 no next header.

IPPROTO_RAW
Type:count
Default:255

Raw IP packet.

IPPROTO_ROUTING
Type:count
Default:43

IPv6 routing header.

IPPROTO_TCP
Type:count
Default:6

TCP.

IPPROTO_UDP
Type:count
Default:17

User datagram protocol.

LOGIN_STATE_AUTHENTICATE
Type:count
Default:0
LOGIN_STATE_CONFUSED
Type:count
Default:3
LOGIN_STATE_LOGGED_IN
Type:count
Default:1
LOGIN_STATE_SKIP
Type:count
Default:2
PEER_ID_NONE
Type:count
Default:0

Place-holder constant indicating “no peer”.

REMOTE_LOG_ERROR
Type:count
Default:2

Deprecated.

REMOTE_LOG_INFO
Type:count
Default:1

Deprecated.

REMOTE_SRC_CHILD
Type:count
Default:1

Message from the child process.

REMOTE_SRC_PARENT
Type:count
Default:2

Message from the parent process.

REMOTE_SRC_SCRIPT
Type:count
Default:3

Message from a policy script.

RPC_status
Type:table [rpc_status] of string
Default:
{
   [RPC_PROC_UNAVAIL] = "proc unavail",
   [RPC_AUTH_ERROR] = "auth error",
   [RPC_PROG_UNAVAIL] = "prog unavail",
   [RPC_PROG_MISMATCH] = "mismatch",
   [RPC_GARBAGE_ARGS] = "garbage args",
   [RPC_TIMEOUT] = "timeout",
   [RPC_UNKNOWN_ERROR] = "unknown",
   [RPC_SUCCESS] = "ok",
   [RPC_SYSTEM_ERR] = "system err"
}

Mapping of numerical RPC status codes to readable messages.

See also: pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, rpc_dialogue, rpc_reply

SNMP::OBJ_COUNTER32_TAG
Type:count
Default:65

Unsigned 32-bit integer.

SNMP::OBJ_COUNTER64_TAG
Type:count
Default:70

Unsigned 64-bit integer.

SNMP::OBJ_ENDOFMIBVIEW_TAG
Type:count
Default:130

A NULL value.

SNMP::OBJ_INTEGER_TAG
Type:count
Default:2

Signed 64-bit integer.

SNMP::OBJ_IPADDRESS_TAG
Type:count
Default:64

An IP address.

SNMP::OBJ_NOSUCHINSTANCE_TAG
Type:count
Default:129

A NULL value.

SNMP::OBJ_NOSUCHOBJECT_TAG
Type:count
Default:128

A NULL value.

SNMP::OBJ_OCTETSTRING_TAG
Type:count
Default:4

An octet string.

SNMP::OBJ_OID_TAG
Type:count
Default:6

An Object Identifier.

SNMP::OBJ_OPAQUE_TAG
Type:count
Default:68

An octet string.

SNMP::OBJ_TIMETICKS_TAG
Type:count
Default:67

Unsigned 32-bit integer.

SNMP::OBJ_UNSIGNED32_TAG
Type:count
Default:66

Unsigned 32-bit integer.

SNMP::OBJ_UNSPECIFIED_TAG
Type:count
Default:5

A NULL value.

TCP_CLOSED
Type:count
Default:5

Endpoint has closed connection.

TCP_ESTABLISHED
Type:count
Default:4

Endpoint has finished initial handshake regularly.

TCP_INACTIVE
Type:count
Default:0

Endpoint is still inactive.

TCP_PARTIAL
Type:count
Default:3

Endpoint has sent data but no initial SYN.

TCP_RESET
Type:count
Default:6

Endpoint has sent RST.

TCP_SYN_ACK_SENT
Type:count
Default:2

Endpoint has sent SYN/ACK.

TCP_SYN_SENT
Type:count
Default:1

Endpoint has sent SYN.

TH_ACK
Type:count
Default:16

ACK.

TH_FIN
Type:count
Default:1

FIN.

TH_FLAGS
Type:count
Default:63

Mask combining all flags.

TH_PUSH
Type:count
Default:8

PUSH.

TH_RST
Type:count
Default:4

RST.

TH_SYN
Type:count
Default:2

SYN.

TH_URG
Type:count
Default:32

URG.

UDP_ACTIVE
Type:count
Default:1

Endpoint has sent something.

UDP_INACTIVE
Type:count
Default:0

Endpoint is still inactive.

trace_output_file
Type:string
Default:""

Holds the filename of the trace file given with -w (empty if none).

See also: record_all_packets

State Variables

capture_filters
Type:table [string] of string
Attributes:&redef
Default:{}

Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique). If Bro is not configured with PacketFilter::enable_auto_protocol_capture_filters, all packets matching at least one of the filters in this table (and all in restrict_filters) will be analyzed.

See also: PacketFilter, PacketFilter::enable_auto_protocol_capture_filters, PacketFilter::unrestricted_filter, restrict_filters

direct_login_prompts
Type:set [string]
Attributes:&redef
Default:{}

TODO.

discarder_maxlen
Type:count
Attributes:&redef
Default:128

Maximum length of payload passed to discarder functions.

See also: discarder_check_tcp, discarder_check_udp, discarder_check_icmp, discarder_check_ip

dns_max_queries
Type:count
Attributes:&redef
Default:25

If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. Set to 0 to turn off this functionality.

dns_skip_addl
Type:set [addr]
Attributes:&redef
Default:{}

For DNS servers in these sets, omit processing the ADDL records they include in their replies.

See also: dns_skip_all_addl, dns_skip_auth

dns_skip_all_addl
Type:bool
Attributes:&redef
Default:F

If true, all DNS ADDL records are skipped.

See also: dns_skip_all_auth, dns_skip_addl

dns_skip_all_auth
Type:bool
Attributes:&redef
Default:F

If true, all DNS AUTH records are skipped.

See also: dns_skip_all_addl, dns_skip_auth

dns_skip_auth
Type:set [addr]
Attributes:&redef
Default:{}

For DNS servers in these sets, omit processing the AUTH records they include in their replies.

See also: dns_skip_all_auth, dns_skip_addl

done_with_network
Type:bool
Default:F
generate_OS_version_event
Type:set [subnet]
Attributes:&redef
Default:{}

Defines for which subnets we should do passive fingerprinting.

See also: OS_version_found

http_entity_data_delivery_size
Type:count
Attributes:&redef
Default:1500

Maximum number of HTTP entity data delivered to events.

See also: http_entity_data, skip_http_entity_data, skip_http_data

interfaces
Type:string
Attributes:&add_func = add_interface &redef
Default:""

Network interfaces to listen on. Use redef interfaces += "eth0" to extend.

irc_servers
Type:set [addr]
Attributes:&redef
Default:{}

Deprecated.

Todo

Remove. It’s still declared internally but doesn’t seem used anywhere else.

load_sample_freq
Type:count
Attributes:&redef
Default:20

Rate at which to generate load_sample events. As all events, the event is only generated if you’ve also defined a load_sample handler. Units are inverse number of packets; e.g., a value of 20 means “roughly one in every 20 packets”.

See also: load_sample

login_failure_msgs
Type:set [string]
Attributes:&redef
Default:{}

TODO.

login_non_failure_msgs
Type:set [string]
Attributes:&redef
Default:{}

TODO.

login_prompts
Type:set [string]
Attributes:&redef
Default:{}

TODO.

login_success_msgs
Type:set [string]
Attributes:&redef
Default:{}

TODO.

login_timeouts
Type:set [string]
Attributes:&redef
Default:{}

TODO.

mime_segment_length
Type:count
Attributes:&redef
Default:1024

The length of MIME data segments delivered to handlers of mime_segment_data.

See also: mime_segment_data, mime_segment_overlap_length

mime_segment_overlap_length
Type:count
Attributes:&redef
Default:0

The number of bytes of overlap between successive segments passed to mime_segment_data.

pkt_profile_file
Type:file
Attributes:&redef

File where packet profiles are logged.

See also: pkt_profile_modes, pkt_profile_freq, pkt_profile_mode

profiling_file
Type:file
Attributes:&redef
Default:
file "prof.log" of string

Write profiling info into this file in regular intervals. The easiest way to activate profiling is loading policy/misc/profiling.bro.

See also: profiling_interval, expensive_profiling_multiple, segment_profiling

restrict_filters
Type:table [string] of string
Attributes:&redef
Default:{}

Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).

See also: PacketFilter, PacketFilter::enable_auto_protocol_capture_filters, PacketFilter::unrestricted_filter, capture_filters

secondary_filters
Type:table [string] of event (filter: string, pkt: pkt_hdr)
Attributes:&redef
Default:{}

Definition of “secondary filters”. A secondary filter is a BPF filter given as index in this table. For each such filter, the corresponding event is raised for all matching packets.

signature_files
Type:string
Attributes:&add_func = add_signature_file &redef
Default:""

Signature files to read. Use redef signature_files  += "foo.sig" to extend. Signature files added this way will be searched relative to BROPATH. Using the @load-sigs directive instead is preferred since that can search paths relative to the current script.

skip_authentication
Type:set [string]
Attributes:&redef
Default:{}

TODO.

stp_skip_src
Type:set [addr]
Attributes:&redef
Default:{}

Internal to the stepping stone detector.

Types

BrokerStats
Type:

record

num_peers: count

num_stores: count

Number of active data stores.

num_pending_queries: count

Number of pending data store queries.

num_events_incoming: count

Number of total log messages received.

num_events_outgoing: count

Number of total log messages sent.

num_logs_incoming: count

Number of total log records received.

num_logs_outgoing: count

Number of total log records sent.

num_ids_incoming: count

Number of total identifiers received.

num_ids_outgoing: count

Number of total identifiers sent.

Statistics about Broker communication.

See also: get_broker_stats

Cluster::Pool
Type:

record

spec: Cluster::PoolSpec &default = [topic=, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F] &optional

(present if base/frameworks/cluster/pools.bro is loaded)

The specification of the pool that was used when registering it.

nodes: Cluster::PoolNodeTable &default = {  } &optional

(present if base/frameworks/cluster/pools.bro is loaded)

Nodes in the pool, indexed by their name (e.g. “manager”).

node_list: vector of Cluster::PoolNode &default = [] &optional

(present if base/frameworks/cluster/pools.bro is loaded)

A list of nodes in the pool in a deterministic order.

hrw_pool: HashHRW::Pool &default = [sites={  }] &optional

(present if base/frameworks/cluster/pools.bro is loaded)

The Rendezvous hashing structure.

rr_key_seq: Cluster::RoundRobinTable &default = {  } &optional

(present if base/frameworks/cluster/pools.bro is loaded)

Round-Robin table indexed by arbitrary key and storing the next index of node_list that will be eligible to receive work (if it’s alive at the time of next request).

alive_count: count &default = 0 &optional

(present if base/frameworks/cluster/pools.bro is loaded)

Number of pool nodes that are currently alive.

A pool used for distributing data/work among a set of cluster nodes.

ConnStats
Type:

record

total_conns: count

current_conns: count

current_conns_extern: count

sess_current_conns: count

num_packets: count

num_fragments: count

max_fragments: count

num_tcp_conns: count

Current number of TCP connections in memory.

max_tcp_conns: count

Maximum number of concurrent TCP connections so far.

cumulative_tcp_conns: count

Total number of TCP connections so far.

num_udp_conns: count

Current number of UDP flows in memory.

max_udp_conns: count

Maximum number of concurrent UDP flows so far.

cumulative_udp_conns: count

Total number of UDP flows so far.

num_icmp_conns: count

Current number of ICMP flows in memory.

max_icmp_conns: count

Maximum number of concurrent ICMP flows so far.

cumulative_icmp_conns: count

Total number of ICMP flows so far.

killed_by_inactivity: count

DHCP::Addrs
Type:vector of addr

A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.

See also: dhcp_message

DHCP::ClientFQDN
Type:

record

flags: count

An unparsed bitfield of flags (refer to RFC 4702).

rcode1: count

This field is deprecated in the standard.

rcode2: count

This field is deprecated in the standard.

domain_name: string

The Domain Name part of the option carries all or part of the FQDN of a DHCP client.

DHCP Client FQDN Option information (Option 81)

DHCP::ClientID
Type:

record

hwtype: count

hwaddr: string

DHCP Client Identifier (Option 61) .. bro:see:: dhcp_message

DHCP::Msg
Type:

record

op: count

Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY

m_type: count

The type of DHCP message.

xid: count

Transaction ID of a DHCP session.

secs: interval

Number of seconds since client began address acquisition or renewal process

flags: count

ciaddr: addr

Original IP address of the client.

yiaddr: addr

IP address assigned to the client.

siaddr: addr

IP address of the server.

giaddr: addr

IP address of the relaying gateway.

chaddr: string

Client hardware address.

sname: string &default = "" &optional

Server host name.

file_n: string &default = "" &optional

Boot file name.

A DHCP message. .. bro:see:: dhcp_message

DHCP::Options
Type:

record

options: index_vec &optional

The ordered list of all DHCP option numbers.

subnet_mask: addr &optional

Subnet Mask Value (option 1)

routers: DHCP::Addrs &optional

Router addresses (option 3)

dns_servers: DHCP::Addrs &optional

DNS Server addresses (option 6)

host_name: string &optional

The Hostname of the client (option 12)

domain_name: string &optional

The DNS domain name of the client (option 15)

forwarding: bool &optional

Enable/Disable IP Forwarding (option 19)

broadcast: addr &optional

Broadcast Address (option 28)

vendor: string &optional

Vendor specific data. This can frequently be unparsed binary data. (option 43)

nbns: DHCP::Addrs &optional

NETBIOS name server list (option 44)

addr_request: addr &optional

Address requested by the client (option 50)

lease: interval &optional

Lease time offered by the server. (option 51)

serv_addr: addr &optional

Server address to allow clients to distinguish between lease offers. (option 54)

param_list: index_vec &optional

DHCP Parameter Request list (option 55)

message: string &optional

Textual error message (option 56)

max_msg_size: count &optional

Maximum Message Size (option 57)

renewal_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)

rebinding_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)

vendor_class: string &optional

This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)

client_id: DHCP::ClientID &optional

DHCP Client Identifier (Option 61)

user_class: string &optional

User Class opaque value (Option 77)

client_fqdn: DHCP::ClientFQDN &optional

DHCP Client FQDN (Option 81)

sub_opt: DHCP::SubOpts &optional

DHCP Relay Agent Information Option (Option 82)

auto_config: bool &optional

Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)

auto_proxy_config: string &optional

URL to find a proxy.pac for auto proxy config (Option 252)

DHCP::SubOpt
Type:

record

code: count

value: string

DHCP Relay Agent Information Option (Option 82) .. bro:see:: dhcp_message

DHCP::SubOpts
Type:vector of DHCP::SubOpt
DNSStats
Type:

record

requests: count

Number of DNS requests made

successful: count

Number of successful DNS replies.

failed: count

Number of DNS reply failures.

pending: count

Current pending queries.

cached_hosts: count

Number of cached hosts.

cached_addresses: count

Number of cached addresses.

Statistics related to Bro’s active use of DNS. These numbers are about Bro performing DNS queries on it’s own, not traffic being seen.

See also: get_dns_stats

EncapsulatingConnVector
Type:vector of Tunnel::EncapsulatingConn

A type alias for a vector of encapsulating “connections”, i.e. for when there are tunnels within tunnels.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

EventStats
Type:

record

queued: count

Total number of events queued so far.

dispatched: count

Total number of events dispatched so far.

FileAnalysisStats
Type:

record

current: count

Current number of files being analyzed.

max: count

Maximum number of concurrent files so far.

cumulative: count

Cumulative number of files analyzed.

Statistics of file analysis.

See also: get_file_analysis_stats

GapStats
Type:

record

ack_events: count

How many ack events could have had gaps.

ack_bytes: count

How many bytes those covered.

gap_events: count

How many did have gaps.

gap_bytes: count

How many bytes were missing in the gaps.

Statistics about number of gaps in TCP connections.

See also: get_gap_stats

IPAddrAnonymization
Type:

enum

KEEP_ORIG_ADDR
SEQUENTIALLY_NUMBERED
RANDOM_MD5
PREFIX_PRESERVING_A50
PREFIX_PRESERVING_MD5

Deprecated.

See also: anonymize_addr

IPAddrAnonymizationClass
Type:

enum

ORIG_ADDR
RESP_ADDR
OTHER_ADDR

Deprecated.

See also: anonymize_addr

JSON::TimestampFormat
Type:

enum

JSON::TS_EPOCH

Timestamps will be formatted as UNIX epoch doubles. This is the format that Bro typically writes out timestamps.

JSON::TS_MILLIS

Timestamps will be formatted as unsigned integers that represent the number of milliseconds since the UNIX epoch.

JSON::TS_ISO8601

Timestamps will be formatted in the ISO8601 DateTime format. Subseconds are also included which isn’t actually part of the standard but most consumers that parse ISO8601 seem to be able to cope with that.

KRB::AP_Options
Type:

record

use_session_key: bool

Indicates that user-to-user-authentication is in use

mutual_required: bool

Mutual authentication is required

AP Options. See RFC 4120

KRB::Error_Msg
Type:

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (30 for ERROR_MSG)

client_time: time &optional

Current time on the client

server_time: time

Current time on the server

error_code: count

The specific error code

client_realm: string &optional

Realm of the ticket

client_name: string &optional

Name on the ticket

service_realm: string

Realm of the service

service_name: string

Name of the service

error_text: string &optional

Additional text to explain the error

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

The data from the ERROR_MSG message. See RFC 4120.

KRB::Host_Address
Type:

record

ip: addr &log &optional

IPv4 or IPv6 address

netbios: string &log &optional

NetBIOS address

unknown: KRB::Type_Value &optional

Some other type that we don’t support yet

A Kerberos host address See RFC 4120.

KRB::Host_Address_Vector
Type:vector of KRB::Host_Address
KRB::KDC_Options
Type:

record

forwardable: bool

The ticket to be issued should have its forwardable flag set.

forwarded: bool

A (TGT) request for forwarding.

proxiable: bool

The ticket to be issued should have its proxiable flag set.

proxy: bool

A request for a proxy.

allow_postdate: bool

The ticket to be issued should have its may-postdate flag set.

postdated: bool

A request for a postdated ticket.

renewable: bool

The ticket to be issued should have its renewable flag set.

opt_hardware_auth: bool

Reserved for opt_hardware_auth

disable_transited_check: bool

Request that the KDC not check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT.

renewable_ok: bool

If a ticket with the requested lifetime cannot be issued, a renewable ticket is acceptable

enc_tkt_in_skey: bool

The ticket for the end server is to be encrypted in the session key from the additional TGT provided

renew: bool

The request is for a renewal

validate: bool

The request is to validate a postdated ticket.

KDC Options. See RFC 4120

KRB::KDC_Request
Type:

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (10 for AS_REQ, 12 for TGS_REQ)

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

kdc_options: KRB::KDC_Options

Options specified in the request

client_name: string &optional

Name on the ticket

service_realm: string

Realm of the service

service_name: string &optional

Name of the service

from: time &optional

Time the ticket is good from

till: time

Time the ticket is good till

rtime: time &optional

The requested renew-till time

nonce: count

A random nonce generated by the client

encryption_types: vector of count

The desired encryption algorithms, in order of preference

host_addrs: vector of KRB::Host_Address &optional

Any additional addresses the ticket should be valid for

additional_tickets: vector of KRB::Ticket &optional

Additional tickets may be included for certain transactions

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

KRB::KDC_Response
Type:

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (11 for AS_REP, 13 for TGS_REP)

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

client_realm: string &optional

Realm on the ticket

client_name: string

Name on the service

ticket: KRB::Ticket

The ticket that was issued

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

KRB::SAFE_Msg
Type:

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (20 for SAFE_MSG)

data: string

The application-specific data that is being passed from the sender to the reciever

timestamp: time &optional

Current time from the sender of the message

seq: count &optional

Sequence number used to detect replays

sender: KRB::Host_Address &optional

Sender address

recipient: KRB::Host_Address &optional

Recipient address

The data from the SAFE message. See RFC 4120.

KRB::Ticket
Type:

record

pvno: count

Protocol version number (5 for KRB5)

realm: string

Realm

service_name: string

Name of the service

cipher: count

Cipher the ticket was encrypted with

ciphertext: string &optional

Cipher text of the ticket

authenticationinfo: string &optional

Authentication info

A Kerberos ticket. See RFC 4120.

KRB::Ticket_Vector
Type:vector of KRB::Ticket
KRB::Type_Value
Type:

record

data_type: count

The data type

val: string

The data value

Used in a few places in the Kerberos analyzer for elements that have a type and a string value.

KRB::Type_Value_Vector
Type:vector of KRB::Type_Value
MOUNT3::dirmntargs_t
Type:

record

dirname: string

Name of directory to mount

MOUNT mnt arguments.

See also: mount_proc_mnt

MOUNT3::info_t
Type:

record

rpc_stat: rpc_status

The RPC status.

mnt_stat: MOUNT3::status_t

The MOUNT status.

req_start: time

The start time of the request.

req_dur: interval

The duration of the request.

req_len: count

The length in bytes of the request.

rep_start: time

The start time of the reply.

rep_dur: interval

The duration of the reply.

rep_len: count

The length in bytes of the reply.

rpc_uid: count

The user id of the reply.

rpc_gid: count

The group id of the reply.

rpc_stamp: count

The stamp of the reply.

rpc_machine_name: string

The machine name of the reply.

rpc_auxgids: index_vec

The auxiliary ids of the reply.

Record summarizing the general results and status of MOUNT3 request/reply pairs.

Note that when rpc_stat or mount_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time

MOUNT3::mnt_reply_t
Type:

record

dirfh: string &optional

Dir handle

auth_flavors: vector of MOUNT3::auth_flavor_t &optional

Returned authentication flavors

MOUNT lookup reply. If the mount failed, dir_attr may be set. If the mount succeeded, fh is always set.

See also: mount_proc_mnt

MatcherStats
Type:

record

matchers: count

Number of distinct RE matchers.

nfa_states: count

Number of NFA states across all matchers.

dfa_states: count

Number of DFA states across all matchers.

computed: count

Number of computed DFA state transitions.

mem: count

Number of bytes used by DFA states.

hits: count

Number of cache hits.

misses: count

Number of cache misses.

Statistics of all regular expression matchers.

See also: get_matcher_stats

ModbusCoils
Type:vector of bool

A vector of boolean values that indicate the setting for a range of modbus coils.

ModbusHeaders
Type:

record

tid: count

Transaction identifier

pid: count

Protocol identifier

uid: count

Unit identifier (previously ‘slave address’)

function_code: count

MODBUS function code

ModbusRegisters
Type:vector of count

A vector of count values that represent 16bit modbus register values.

NFS3::delobj_reply_t
Type:

record

dir_pre_attr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ dir.

dir_post_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS reply for remove, rmdir. Corresponds to wcc_data in the spec.

See also: nfs_proc_remove, nfs_proc_rmdir

NFS3::direntry_t
Type:

record

fileid: count

E.g., inode number.

fname: string

Filename.

cookie: count

Cookie value.

attr: NFS3::fattr_t &optional

readdirplus: the fh attributes for the entry.

fh: string &optional

readdirplus: the fh for the entry

NFS direntry. fh and attr are used for readdirplus. However, even for readdirplus they may not be filled out.

See also: NFS3::direntry_vec_t, NFS3::readdir_reply_t

NFS3::direntry_vec_t
Type:vector of NFS3::direntry_t

Vector of NFS direntry.

See also: NFS3::readdir_reply_t

NFS3::diropargs_t
Type:

record

dirfh: string

The file handle of the directory.

fname: string

The name of the file we are interested in.

NFS readdir arguments.

See also: nfs_proc_readdir

NFS3::fattr_t
Type:

record

ftype: NFS3::file_type_t

File type.

mode: count

Mode

nlink: count

Number of links.

uid: count

User ID.

gid: count

Group ID.

size: count

Size.

used: count

TODO.

rdev1: count

TODO.

rdev2: count

TODO.

fsid: count

TODO.

fileid: count

TODO.

atime: time

Time of last access.

mtime: time

Time of last modification.

ctime: time

Time of creation.

NFS file attributes. Field names are based on RFC 1813.

See also: nfs_proc_getattr

NFS3::fsstat_t
Type:

record

attrs: NFS3::fattr_t &optional

Attributes.

tbytes: double

TODO.

fbytes: double

TODO.

abytes: double

TODO.

tfiles: double

TODO.

ffiles: double

TODO.

afiles: double

TODO.

invarsec: interval

TODO.

NFS fsstat.

NFS3::info_t
Type:

record

rpc_stat: rpc_status

The RPC status.

nfs_stat: NFS3::status_t

The NFS status.

req_start: time

The start time of the request.

req_dur: interval

The duration of the request.

req_len: count

The length in bytes of the request.

rep_start: time

The start time of the reply.

rep_dur: interval

The duration of the reply.

rep_len: count

The length in bytes of the reply.

rpc_uid: count

The user id of the reply.

rpc_gid: count

The group id of the reply.

rpc_stamp: count

The stamp of the reply.

rpc_machine_name: string

The machine name of the reply.

rpc_auxgids: index_vec

The auxiliary ids of the reply.

Record summarizing the general results and status of NFSv3 request/reply pairs.

Note that when rpc_stat or nfs_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time and duration values might not be fully accurate. For TCP, we record times when the corresponding chunk of data is delivered to the analyzer. Depending on the reassembler, this might be well after the first packet of the request was received.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status

Type:

record

post_attr: NFS3::fattr_t &optional

Optional post-operation attributes of the file system object identified by file

preattr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ file.

postattr: NFS3::fattr_t &optional

Optional attributes associated w/ file.

NFS link reply.

See also: nfs_proc_link

NFS3::linkargs_t
Type:

record

fh: string

The file handle for the existing file system object.

link: NFS3::diropargs_t

The location of the link to be created.

NFS link arguments.

See also: nfs_proc_link

NFS3::lookup_reply_t
Type:

record

fh: string &optional

File handle of object looked up.

obj_attr: NFS3::fattr_t &optional

Optional attributes associated w/ file

dir_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS lookup reply. If the lookup failed, dir_attr may be set. If the lookup succeeded, fh is always set and obj_attr and dir_attr may be set.

See also: nfs_proc_lookup

NFS3::newobj_reply_t
Type:

record

fh: string &optional

File handle of object created.

obj_attr: NFS3::fattr_t &optional

Optional attributes associated w/ new object.

dir_pre_attr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ dir.

dir_post_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS reply for create, mkdir, and symlink. If the proc failed, dir_*_attr may be set. If the proc succeeded, fh and the attr’s may be set. Note: no guarantee that fh is set after success.

See also: nfs_proc_create, nfs_proc_mkdir

NFS3::read_reply_t
Type:

record

attr: NFS3::fattr_t &optional

Attributes.

size: count &optional

Number of bytes read.

eof: bool &optional

Sid the read end at EOF.

data: string &optional

The actual data; not yet implemented.

NFS read reply. If the lookup fails, attr may be set. If the lookup succeeds, attr may be set and all other fields are set.

NFS3::readargs_t
Type:

record

fh: string

File handle to read from.

offset: count

Offset in file.

size: count

Number of bytes to read.

NFS read arguments.

See also: nfs_proc_read

NFS3::readdir_reply_t
Type:

record

isplus: bool

True if the reply for a readdirplus request.

dir_attr: NFS3::fattr_t &optional

Directory attributes.

cookieverf: count &optional

TODO.

entries: NFS3::direntry_vec_t &optional

Returned directory entries.

eof: bool

If true, no more entries in directory.

NFS readdir reply. Used for readdir and readdirplus. If an is returned, dir_attr might be set. On success, dir_attr may be set, all others must be set.

NFS3::readdirargs_t
Type:

record

isplus: bool

Is this a readdirplus request?

dirfh: string

The directory filehandle.

cookie: count

Cookie / pos in dir; 0 for first call.

cookieverf: count

The cookie verifier.

dircount: count

“count” field for readdir; maxcount otherwise (in bytes).

maxcount: count &optional

Only used for readdirplus. in bytes.

NFS readdir arguments. Used for both readdir and readdirplus.

See also: nfs_proc_readdir

Type:

record

attr: NFS3::fattr_t &optional

Attributes.

nfspath: string &optional

Contents of the symlink; in general a pathname as text.

NFS readline reply. If the request fails, attr may be set. If the request succeeds, attr may be set and all other fields are set.

See also: nfs_proc_readlink

NFS3::renameobj_reply_t
Type:

record

src_dir_pre_attr: NFS3::wcc_attr_t

src_dir_post_attr: NFS3::fattr_t

dst_dir_pre_attr: NFS3::wcc_attr_t

dst_dir_post_attr: NFS3::fattr_t

NFS reply for rename. Corresponds to wcc_data in the spec.

See also: nfs_proc_rename

NFS3::renameopargs_t
Type:

record

src_dirfh: string

src_fname: string

dst_dirfh: string

dst_fname: string

NFS rename arguments.

See also: nfs_proc_rename

NFS3::sattr_reply_t
Type:

record

dir_pre_attr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ dir.

dir_post_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS sattr reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr are set.

NFS3::sattr_t
Type:

record

mode: count &optional

Mode

uid: count &optional

User ID.

gid: count &optional

Group ID.

size: count &optional

Size.

atime: NFS3::time_how_t &optional

Time of last access.

mtime: NFS3::time_how_t &optional

Time of last modification.

NFS file attributes. Field names are based on RFC 1813.

See also: nfs_proc_sattr

NFS3::sattrargs_t
Type:

record

fh: string

The file handle for the existing file system object.

new_attributes: NFS3::sattr_t

The new attributes for the file.

NFS sattr arguments.

See also: nfs_proc_sattr

NFS3::symlinkargs_t
Type:

record

link: NFS3::diropargs_t

The location of the link to be created.

symlinkdata: NFS3::symlinkdata_t

The symbolic link to be created.

NFS symlink arguments.

See also: nfs_proc_symlink

NFS3::symlinkdata_t
Type:

record

symlink_attributes: NFS3::sattr_t

The initial attributes for the symbolic link

nfspath: string &optional

The string containing the symbolic link data.

NFS symlinkdata attributes. Field names are based on RFC 1813

See also: nfs_proc_symlink

NFS3::wcc_attr_t
Type:

record

size: count

The size.

atime: time

Access time.

mtime: time

Modification time.

NFS wcc attributes.

See also: NFS3::write_reply_t

NFS3::write_reply_t
Type:

record

preattr: NFS3::wcc_attr_t &optional

Pre operation attributes.

postattr: NFS3::fattr_t &optional

Post operation attributes.

size: count &optional

Size.

commited: NFS3::stable_how_t &optional

TODO.

verf: count &optional

Write verifier cookie.

NFS write reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr may be set and all other fields are set.

See also: nfs_proc_write

NFS3::writeargs_t
Type:

record

fh: string

File handle to write to.

offset: count

Offset in file.

size: count

Number of bytes to write.

stable: NFS3::stable_how_t

How and when data is commited.

data: string &optional

The actual data; not implemented yet.

NFS write arguments.

See also: nfs_proc_write

NTLM::AVs
Type:

record

nb_computer_name: string

The server’s NetBIOS computer name

nb_domain_name: string

The server’s NetBIOS domain name

dns_computer_name: string &optional

The FQDN of the computer

dns_domain_name: string &optional

The FQDN of the domain

dns_tree_name: string &optional

The FQDN of the forest

constrained_auth: bool &optional

Indicates to the client that the account authentication is constrained

timestamp: time &optional

The associated timestamp, if present

single_host_id: count &optional

Indicates that the client is providing a machine ID created at computer startup to identify the calling machine

target_name: string &optional

The SPN of the target server

NTLM::Authenticate
Type:

record

flags: NTLM::NegotiateFlags

The negotiate flags

domain_name: string &optional

The domain or computer name hosting the account

user_name: string &optional

The name of the user to be authenticated.

workstation: string &optional

The name of the computer to which the user was logged on.

session_key: string &optional

The session key

version: NTLM::Version &optional

The Windows version information, if supplied

NTLM::Challenge
Type:

record

flags: NTLM::NegotiateFlags

The negotiate flags

target_name: string &optional

The server authentication realm. If the server is domain-joined, the name of the domain. Otherwise the server name. See flags.target_type_domain and flags.target_type_server

version: NTLM::Version &optional

The Windows version information, if supplied

target_info: NTLM::AVs &optional

Attribute-value pairs specified by the server

NTLM::Negotiate
Type:

record

flags: NTLM::NegotiateFlags

The negotiate flags

domain_name: string &optional

The domain name of the client, if known

workstation: string &optional

The machine name of the client, if known

version: NTLM::Version &optional

The Windows version information, if supplied

NTLM::NegotiateFlags
Type:

record

negotiate_56: bool

If set, requires 56-bit encryption

negotiate_key_exch: bool

If set, requests an explicit key exchange

negotiate_128: bool

If set, requests 128-bit session key negotiation

negotiate_version: bool

If set, requests the protocol version number

negotiate_target_info: bool

If set, indicates that the TargetInfo fields in the CHALLENGE_MESSAGE are populated

request_non_nt_session_key: bool

If set, requests the usage of the LMOWF function

negotiate_identify: bool

If set, requests and identify level token

negotiate_extended_sessionsecurity: bool

If set, requests usage of NTLM v2 session security Note: NTML v2 session security is actually NTLM v1

target_type_server: bool

If set, TargetName must be a server name

target_type_domain: bool

If set, TargetName must be a domain name

negotiate_always_sign: bool

If set, requests the presence of a signature block on all messages

negotiate_oem_workstation_supplied: bool

If set, the workstation name is provided

negotiate_oem_domain_supplied: bool

If set, the domain name is provided

negotiate_anonymous_connection: bool

If set, the connection should be anonymous

negotiate_ntlm: bool

If set, requests usage of NTLM v1

negotiate_lm_key: bool

If set, requests LAN Manager session key computation

negotiate_datagram: bool

If set, requests connectionless authentication

negotiate_seal: bool

If set, requests session key negotiation for message confidentiality

negotiate_sign: bool

If set, requests session key negotiation for message signatures

request_target: bool

If set, the TargetName field is present

negotiate_oem: bool

If set, requests OEM character set encoding

negotiate_unicode: bool

If set, requests Unicode character set encoding

NTLM::Version
Type:

record

major: count

The major version of the Windows operating system in use

minor: count

The minor version of the Windows operating system in use

build: count

The build number of the Windows operating system in use

ntlmssp: count

The current revision of NTLMSSP in use

NetStats
Type:

record

pkts_recvd: count &default = 0 &optional

Packets received by Bro.

pkts_dropped: count &default = 0 &optional

Packets reported dropped by the system.

pkts_link: count &default = 0 &optional

Packets seen on the link. Note that this may differ from pkts_recvd because of a potential capture_filter. See base/frameworks/packet-filter/main.bro. Depending on the packet capture system, this value may not be available and will then be always set to zero.

bytes_recvd: count &default = 0 &optional

Bytes received by Bro.

Packet capture statistics. All counts are cumulative.

See also: get_net_stats

OS_version
Type:

record

genre: string

Linux, Windows, AIX, …

detail: string

Kernel version or such.

dist: count

How far is the host away from the sensor (TTL)?.

match_type: OS_version_inference

Quality of the match.

Passive fingerprinting match.

See also: OS_version_found

OS_version_inference
Type:

enum

direct_inference

TODO.

generic_inference

TODO.

fuzzy_inference

TODO.

Quality of passive fingerprinting matches.

See also: OS_version

PE::DOSHeader
Type:

record

signature: string

The magic number of a portable executable file (“MZ”).

used_bytes_in_last_page: count

The number of bytes in the last page that are used.

file_in_pages: count

The number of pages in the file that are part of the PE file itself.

num_reloc_items: count

Number of relocation entries stored after the header.

header_in_paragraphs: count

Number of paragraphs in the header.

min_extra_paragraphs: count

Number of paragraps of additional memory that the program will need.

max_extra_paragraphs: count

Maximum number of paragraphs of additional memory.

init_relative_ss: count

Relative value of the stack segment.

init_sp: count

Initial value of the SP register.

checksum: count

Checksum. The 16-bit sum of all words in the file should be 0. Normally not set.

init_ip: count

Initial value of the IP register.

init_relative_cs: count

Initial value of the CS register (relative to the initial segment).

addr_of_reloc_table: count

Offset of the first relocation table.

overlay_num: count

Overlays allow you to append data to the end of the file. If this is the main program, this will be 0.

oem_id: count

OEM identifier.

oem_info: count

Additional OEM info, specific to oem_id.

addr_of_new_exe_header: count

Address of the new EXE header.

PE::FileHeader
Type:

record

machine: count

The target machine that the file was compiled for.

ts: time

The time that the file was created at.

sym_table_ptr: count

Pointer to the symbol table.

num_syms: count

Number of symbols.

optional_header_size: count

The size of the optional header.

characteristics: set [count]

Bit flags that determine if this file is executable, non-relocatable, and/or a DLL.

PE::OptionalHeader
Type:

record

magic: count

PE32 or PE32+ indicator.

major_linker_version: count

The major version of the linker used to create the PE.

minor_linker_version: count

The minor version of the linker used to create the PE.

size_of_code: count

Size of the .text section.

size_of_init_data: count

Size of the .data section.

size_of_uninit_data: count

Size of the .bss section.

addr_of_entry_point: count

The relative virtual address (RVA) of the entry point.

base_of_code: count

The relative virtual address (RVA) of the .text section.

base_of_data: count &optional

The relative virtual address (RVA) of the .data section.

image_base: count

Preferred memory location for the image to be based at.

section_alignment: count

The alignment (in bytes) of sections when they’re loaded in memory.

file_alignment: count

The alignment (in bytes) of the raw data of sections.

os_version_major: count

The major version of the required OS.

os_version_minor: count

The minor version of the required OS.

major_image_version: count

The major version of this image.

minor_image_version: count

The minor version of this image.

major_subsys_version: count

The major version of the subsystem required to run this file.

minor_subsys_version: count

The minor version of the subsystem required to run this file.

size_of_image: count

The size (in bytes) of the iamge as the image is loaded in memory.

size_of_headers: count

The size (in bytes) of the headers, rounded up to file_alignment.

checksum: count

The image file checksum.

subsystem: count

The subsystem that’s required to run this image.

dll_characteristics: set [count]

Bit flags that determine how to execute or load this file.

table_sizes: vector of count

A vector with the sizes of various tables and strings that are defined in the optional header data directories. Examples include the import table, the resource table, and debug information.

PE::SectionHeader
Type:

record

name: string

The name of the section

virtual_size: count

The total size of the section when loaded into memory.

virtual_addr: count

The relative virtual address (RVA) of the section.

size_of_raw_data: count

The size of the initialized data for the section, as it is in the file on disk.

ptr_to_raw_data: count

The virtual address of the initialized dat for the section, as it is in the file on disk.

ptr_to_relocs: count

The file pointer to the beginning of relocation entries for the section.

ptr_to_line_nums: count

The file pointer to the beginning of line-number entries for the section.

num_of_relocs: count

The number of relocation entries for the section.

num_of_line_nums: count

The number of line-number entrie for the section.

characteristics: set [count]

Bit-flags that describe the characteristics of the section.

Record for Portable Executable (PE) section headers.

PcapFilterID
Type:

enum

None
PacketFilter::DefaultPcapFilter

(present if base/frameworks/packet-filter/main.bro is loaded)

PacketFilter::FilterTester

(present if base/frameworks/packet-filter/main.bro is loaded)

Enum type identifying dynamic BPF filters. These are used by Pcap::precompile_pcap_filter and Pcap::precompile_pcap_filter.

ProcStats
Type:

record

debug: bool

True if compiled with –enable-debug.

start_time: time

Start time of process.

real_time: interval

Elapsed real time since Bro started running.

user_time: interval

User CPU seconds.

system_time: interval

System CPU seconds.

mem: count

Maximum memory consumed, in KB.

minor_faults: count

Page faults not requiring actual I/O.

major_faults: count

Page faults requiring actual I/O.

num_swap: count

Times swapped out.

blocking_input: count

Blocking input operations.

blocking_output: count

Blocking output operations.

num_context: count

Number of involuntary context switches.

Statistics about Bro’s process.

See also: get_proc_stats

Note

All process-level values refer to Bro’s main process only, not to the child process it spawns for doing communication.

RADIUS::AttributeList
Type:vector of string
RADIUS::Attributes
Type:table [count] of RADIUS::AttributeList
RADIUS::Message
Type:

record

code: count

The type of message (Access-Request, Access-Accept, etc.).

trans_id: count

The transaction ID.

authenticator: string

The “authenticator” string.

attributes: RADIUS::Attributes &optional

Any attributes.

RDP::ClientCoreData
Type:

record

version_major: count

version_minor: count

desktop_width: count

desktop_height: count

color_depth: count

sas_sequence: count

keyboard_layout: count

client_build: count

client_name: string

keyboard_type: count

keyboard_sub: count

keyboard_function_key: count

ime_file_name: string

post_beta2_color_depth: count &optional

client_product_id: string &optional

serial_number: count &optional

high_color_depth: count &optional

supported_color_depths: count &optional

ec_flags: RDP::EarlyCapabilityFlags &optional

dig_product_id: string &optional

RDP::EarlyCapabilityFlags
Type:

record

support_err_info_pdu: bool

want_32bpp_session: bool

support_statusinfo_pdu: bool

strong_asymmetric_keys: bool

support_monitor_layout_pdu: bool

support_netchar_autodetect: bool

support_dynvc_gfx_protocol: bool

support_dynamic_time_zone: bool

support_heartbeat_pdu: bool

ReassemblerStats
Type:

record

file_size: count

Byte size of File reassembly tracking.

frag_size: count

Byte size of Fragment reassembly tracking.

tcp_size: count

Byte size of TCP reassembly tracking.

unknown_size: count

Byte size of reassembly tracking for unknown purposes.

Holds statistics for all types of reassembly.

See also: get_reassembler_stats

ReporterStats
Type:

record

weirds: count

Number of total weirds encountered, before any rate-limiting.

weirds_by_type: table [string] of count

Number of times each individual weird is encountered, before any rate-limiting is applied.

Statistics about reporter messages and weirds.

See also: get_reporter_stats

SMB1::Find_First2_Request_Args
Type:

record

search_attrs: count

File attributes to apply as a constraint to the search

search_count: count

Max search results

flags: count

Misc. flags for how the server should manage the transaction once results are returned

info_level: count

How detailed the information returned in the results should be

search_storage_type: count

Specify whether to search for directories or files

file_name: string

The string to serch for (note: may contain wildcards)

SMB1::Find_First2_Response_Args
Type:

record

sid: count

The server generated search identifier

search_count: count

Number of results returned by the search

end_of_search: bool

Whether or not the search can be continued using the TRANS2_FIND_NEXT2 transaction

ext_attr_error: string &optional

An extended attribute name that couldn’t be retrieved

SMB1::Header
Type:

record

command: count

The command number

status: count

The status code

flags: count

Flag set 1

flags2: count

Flag set 2

tid: count

Tree ID

pid: count

Process ID

uid: count

User ID

mid: count

Multiplex ID

An SMB1 header.

See also: smb1_message, smb1_empty_response, smb1_error, smb1_check_directory_request, smb1_check_directory_response, smb1_close_request, smb1_create_directory_request, smb1_create_directory_response, smb1_echo_request, smb1_echo_response, smb1_negotiate_request, smb1_negotiate_response, smb1_nt_cancel_request, smb1_nt_create_andx_request, smb1_nt_create_andx_response, smb1_query_information_request, smb1_read_andx_request, smb1_read_andx_response, smb1_session_setup_andx_request, smb1_session_setup_andx_response, smb1_transaction_request, smb1_transaction2_request, smb1_trans2_find_first2_request, smb1_trans2_query_path_info_request, smb1_trans2_get_dfs_referral_request, smb1_tree_connect_andx_request, smb1_tree_connect_andx_response, smb1_tree_disconnect, smb1_write_andx_request, smb1_write_andx_response

SMB1::NegotiateCapabilities
Type:

record

raw_mode: bool

The server supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW

mpx_mode: bool

The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX

unicode: bool

The server supports unicode strings

large_files: bool

The server supports large files with 64 bit offsets

nt_smbs: bool

The server supports the SMBs particilar to the NT LM 0.12 dialect. Implies nt_find.

rpc_remote_apis: bool

The server supports remote admin API requests via DCE-RPC

status32: bool

The server can respond with 32 bit status codes in Status.Status

level_2_oplocks: bool

The server supports level 2 oplocks

lock_and_read: bool

The server supports SMB_COM_LOCK_AND_READ

nt_find: bool

Reserved

dfs: bool

The server is DFS aware

infolevel_passthru: bool

The server supports NT information level requests passing through

large_readx: bool

The server supports large SMB_COM_READ_ANDX (up to 64k)

large_writex: bool

The server supports large SMB_COM_WRITE_ANDX (up to 64k)

unix: bool

The server supports CIFS Extensions for UNIX

bulk_transfer: bool

The server supports SMB_BULK_READ, SMB_BULK_WRITE Note: No known implementations support this

compressed_data: bool

The server supports compressed data transfer. Requires bulk_transfer. Note: No known implementations support this

extended_security: bool

The server supports extended security exchanges

SMB1::NegotiateRawMode
Type:

record

read_raw: bool

Read raw supported

write_raw: bool

Write raw supported

SMB1::NegotiateResponse
Type:

record

core: SMB1::NegotiateResponseCore &optional

If the server does not understand any of the dialect strings, or if PC NETWORK PROGRAM 1.0 is the chosen dialect.

lanman: SMB1::NegotiateResponseLANMAN &optional

If the chosen dialect is greater than core up to and including LANMAN 2.1.

ntlm: SMB1::NegotiateResponseNTLM &optional

If the chosen dialect is NT LM 0.12.

SMB1::NegotiateResponseCore
Type:

record

dialect_index: count

Index of selected dialect

SMB1::NegotiateResponseLANMAN
Type:

record

word_count: count

Count of parameter words (should be 13)

dialect_index: count

Index of selected dialect

security_mode: SMB1::NegotiateResponseSecurity

Security mode

max_buffer_size: count

Max transmit buffer size (>= 1024)

max_mpx_count: count

Max pending multiplexed requests

max_number_vcs: count

Max number of virtual circuits (VCs - transport-layer connections) between client and server

raw_mode: SMB1::NegotiateRawMode

Raw mode

session_key: count

Unique token identifying this session

server_time: time

Current date and time at server

encryption_key: string

The challenge encryption key

primary_domain: string

The server’s primary domain

SMB1::NegotiateResponseNTLM
Type:

record

word_count: count

Count of parameter words (should be 17)

dialect_index: count

Index of selected dialect

security_mode: SMB1::NegotiateResponseSecurity

Security mode

max_buffer_size: count

Max transmit buffer size

max_mpx_count: count

Max pending multiplexed requests

max_number_vcs: count

Max number of virtual circuits (VCs - transport-layer connections) between client and server

max_raw_size: count

Max raw buffer size

session_key: count

Unique token identifying this session

capabilities: SMB1::NegotiateCapabilities

Server capabilities

server_time: time

Current date and time at server

encryption_key: string &optional

The challenge encryption key. Present only for non-extended security (i.e. capabilities$extended_security = F)

domain_name: string &optional

The name of the domain. Present only for non-extended security (i.e. capabilities$extended_security = F)

guid: string &optional

A globally unique identifier assigned to the server. Present only for extended security (i.e. capabilities$extended_security = T)

security_blob: string

Opaque security blob associated with the security package if capabilities$extended_security = T Otherwise, the challenge for challenge/response authentication.

SMB1::NegotiateResponseSecurity
Type:

record

user_level: bool

This indicates whether the server, as a whole, is operating under Share Level or User Level security.

challenge_response: bool

This indicates whether or not the server supports Challenge/Response authentication. If the bit is false, then plaintext passwords must be used.

signatures_enabled: bool &optional

This indicates if the server is capable of performing MAC message signing. Note: Requires NT LM 0.12 or later.

signatures_required: bool &optional

This indicates if the server is requiring the use of a MAC in each packet. If false, message signing is optional. Note: Requires NT LM 0.12 or later.

SMB1::SessionSetupAndXCapabilities
Type:

record

unicode: bool

The client can use unicode strings

large_files: bool

The client can deal with files having 64 bit offsets

nt_smbs: bool

The client understands the SMBs introduced with NT LM 0.12 Implies nt_find

status32: bool

The client can receive 32 bit errors encoded in Status.Status

level_2_oplocks: bool

The client understands Level II oplocks

nt_find: bool

Reserved. Implied by nt_smbs.

SMB1::SessionSetupAndXRequest
Type:

record

word_count: count
Count of parameter words
  • 10 for pre NT LM 0.12
  • 12 for NT LM 0.12 with extended security
  • 13 for NT LM 0.12 without extended security
max_buffer_size: count

Client maximum buffer size

max_mpx_count: count

Actual maximum multiplexed pending request

vc_number: count

Virtual circuit number. First VC == 0

session_key: count

Session key (valid iff vc_number > 0)

native_os: string

Client’s native operating system

native_lanman: string

Client’s native LAN Manager type

account_name: string &optional

Account name Note: not set for NT LM 0.12 with extended security

account_password: string &optional

If challenge/response auth is not being used, this is the password. Otherwise, it’s the response to the server’s challenge. Note: Only set for pre NT LM 0.12

primary_domain: string &optional

Client’s primary domain, if known Note: not set for NT LM 0.12 with extended security

case_insensitive_password: string &optional

Case insensitive password Note: only set for NT LM 0.12 without extended security

case_sensitive_password: string &optional

Case sensitive password Note: only set for NT LM 0.12 without extended security

security_blob: string &optional

Security blob Note: only set for NT LM 0.12 with extended security

capabilities: SMB1::SessionSetupAndXCapabilities &optional

Client capabilities Note: only set for NT LM 0.12

SMB1::SessionSetupAndXResponse
Type:

record

word_count: count

Count of parameter words (should be 3 for pre NT LM 0.12 and 4 for NT LM 0.12)

is_guest: bool &optional

Were we logged in as a guest user?

native_os: string &optional

Server’s native operating system

native_lanman: string &optional

Server’s native LAN Manager type

primary_domain: string &optional

Server’s primary domain

security_blob: string &optional

Security blob if NTLM

SMB1::Trans2_Args
Type:

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

max_param_count: count

Max parameter count

max_data_count: count

Max data count

max_setup_count: count

Max setup count

flags: count

Flags

trans_timeout: count

Timeout

param_count: count

Parameter count

param_offset: count

Parameter offset

data_count: count

Data count

data_offset: count

Data offset

setup_count: count

Setup count

SMB1::Trans2_Sec_Args
Type:

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

param_count: count

Parameter count

param_offset: count

Parameter offset

param_displacement: count

Parameter displacement

data_count: count

Data count

data_offset: count

Data offset

data_displacement: count

Data displacement

FID: count

File ID

SMB1::Trans_Sec_Args
Type:

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

param_count: count

Parameter count

param_offset: count

Parameter offset

param_displacement: count

Parameter displacement

data_count: count

Data count

data_offset: count

Data offset

data_displacement: count

Data displacement

SMB2::CloseResponse
Type:

record

alloc_size: count

The size, in bytes of the data that is allocated to the file.

eof: count

The size, in bytes, of the file.

times: SMB::MACTimes

The creation, last access, last write, and change times.

attrs: SMB2::FileAttrs

The attributes of the file.

The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.

For more information, see MS-SMB2:2.2.16

See also: smb2_close_response

SMB2::CreateRequest
Type:

record

filename: string

Name of the file

disposition: count

Defines the action the server MUST take if the file that is specified already exists.

create_options: count

Specifies the options to be applied when creating or opening the file.

The request sent by the client to request either creation of or access to a file.

For more information, see MS-SMB2:2.2.13

See also: smb2_create_request

SMB2::CreateResponse
Type:

record

file_id: SMB2::GUID

The SMB2 GUID for the file.

size: count

Size of the file.

times: SMB::MACTimes

Timestamps associated with the file in question.

attrs: SMB2::FileAttrs

File attributes.

create_action: count

The action taken in establishing the open.

The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.

For more information, see MS-SMB2:2.2.14

See also: smb2_create_response

SMB2::FileAttrs
Type:

record

read_only: bool

The file is read only. Applications can read the file but cannot write to it or delete it.

hidden: bool

The file is hidden. It is not to be included in an ordinary directory listing.

system: bool

The file is part of or is used exclusively by the operating system.

directory: bool

The file is a directory.

archive: bool

The file has not been archived since it was last modified. Applications use this attribute to mark files for backup or removal.

normal: bool

The file has no other attributes set. This attribute is valid only if used alone.

temporary: bool

The file is temporary. This is a hint to the cache manager that it does not need to flush the file to backing storage.

sparse_file: bool

A file that is a sparse file.

reparse_point: bool

A file or directory that has an associated reparse point.

compressed: bool

The file or directory is compressed. For a file, this means that all of the data in the file is compressed. For a directory, this means that compression is the default for newly created files and subdirectories.

offline: bool

The data in this file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is hierarchical storage management software.

not_content_indexed: bool

A file or directory that is not indexed by the content indexing service.

encrypted: bool

A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.

integrity_stream: bool

A file or directory that is configured with integrity support. For a file, all data streams in the file have integrity support. For a directory, integrity support is the default for newly created files and subdirectories, unless the caller specifies otherwise.

no_scrub_data: bool

A file or directory that is configured to be excluded from the data integrity scan.

A series of boolean flags describing basic and extended file attributes for SMB2.

For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6

See also: smb2_create_response

SMB2::GUID
Type:

record

persistent: count

A file handle that remains persistent when reconnected after a disconnect

volatile: count

A file handle that can be changed when reconnected after a disconnect

An SMB2 globally unique identifier which identifies a file.

For more information, see MS-SMB2:2.2.14.1

See also: smb2_close_request, smb2_create_response, smb2_read_request, smb2_file_rename, smb2_file_delete, smb2_write_request

SMB2::Header
Type:

record

credit_charge: count

The number of credits that this request consumes

status: count

In a request, this is an indication to the server about the client’s channel change. In a response, this is the status field

command: count

The command code of the packet

credits: count

The number of credits the client is requesting, or the number of credits granted to the client in a response.

flags: count

A flags field, which indicates how to process the operation (e.g. asynchronously)

message_id: count

A value that uniquely identifies the message request/response pair across all messages that are sent on the same transport protocol connection

process_id: count

A value that uniquely identifies the process that generated the event.

tree_id: count

A value that uniquely identifies the tree connect for the command.

session_id: count

A value that uniquely identifies the established session for the command.

signature: string

The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in the flags field.

An SMB2 header.

For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2

See also: smb2_message, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_file_rename, smb2_file_delete, smb2_tree_connect_request, smb2_tree_connect_response, smb2_write_request

SMB2::NegotiateResponse
Type:

record

dialect_revision: count

The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2 NEGOTIATE Request.

security_mode: count

The security mode field specifies whether SMB signing is enabled, required at the server, or both.

server_guid: string

A globally unique identifier that is generate by the server to uniquely identify the server.

system_time: time

The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed.

server_start_time: time

The SMB2 server start time.

The response to an SMB2 negotiate request, which is used by tghe client to notify the server what dialects of the SMB2 protocol the client understands.

For more information, see MS-SMB2:2.2.4

See also: smb2_negotiate_response

SMB2::SessionSetupFlags
Type:

record

guest: bool

If set, the client has been authenticated as a guest user.

anonymous: bool

If set, the client has been authenticated as an anonymous user.

encrypt: bool

If set, the server requires encryption of messages on this session.

A flags field that indicates additional information about the session that’s sent in the session_setup response.

For more information, see MS-SMB2:2.2.6

See also: smb2_session_setup_response

SMB2::SessionSetupRequest
Type:

record

security_mode: count

The security mode field specifies whether SMB signing is enabled or required at the client.

The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

For more information, see MS-SMB2:2.2.5

See also: smb2_session_setup_request

SMB2::SessionSetupResponse
Type:

record

flags: SMB2::SessionSetupFlags

Additional information about the session

The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

For more information, see MS-SMB2:2.2.6

See also: smb2_session_setup_response

SMB2::TreeConnectResponse
Type:

record

share_type: count

The type of share being accessed. Physical disk, named pipe, or printer.

The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.

For more information, see MS-SMB2:2.2.9

See also: smb2_tree_connect_response

SMB::MACTimes
Type:

record

modified: time &log

The time when data was last written to the file.

accessed: time &log

The time when the file was last accessed.

created: time &log

The time the file was created.

changed: time &log

The time when the file was last modified.

Attributes:

&log

MAC times for a file.

For more information, see MS-SMB2:2.2.16

See also: smb1_nt_create_andx_response, smb2_create_response

SNMP::Binding
Type:

record

oid: string

value: SNMP::ObjectValue

The VarBind data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.

SNMP::Bindings
Type:vector of SNMP::Binding

A VarBindList data structure from either RFC 1157 or RFC 3416. A sequences of SNMP::Binding, which maps an OIDs to values.

SNMP::BulkPDU
Type:

record

request_id: int

non_repeaters: count

max_repititions: count

bindings: SNMP::Bindings

A BulkPDU data structure from RFC 3416.

SNMP::Header
Type:

record

version: count

v1: SNMP::HeaderV1 &optional

Set when version is 0.

v2: SNMP::HeaderV2 &optional

Set when version is 1.

v3: SNMP::HeaderV3 &optional

Set when version is 3.

A generic SNMP header data structure that may include data from any version of SNMP. The value of the version field determines what header field is initialized.

SNMP::HeaderV1
Type:

record

community: string

The top-level message data structure of an SNMPv1 datagram, not including the PDU data. See RFC 1157.

SNMP::HeaderV2
Type:

record

community: string

The top-level message data structure of an SNMPv2 datagram, not including the PDU data. See RFC 1901.

SNMP::HeaderV3
Type:

record

id: count

max_size: count

flags: count

auth_flag: bool

priv_flag: bool

reportable_flag: bool

security_model: count

security_params: string

pdu_context: SNMP::ScopedPDU_Context &optional

The top-level message data structure of an SNMPv3 datagram, not including the PDU data. See RFC 3412.

SNMP::ObjectValue
Type:

record

tag: count

oid: string &optional

signed: int &optional

unsigned: count &optional

address: addr &optional

octets: string &optional

A generic SNMP object value, that may include any of the valid ObjectSyntax values from RFC 1155 or RFC 3416. The value is decoded whenever possible and assigned to the appropriate field, which can be determined from the value of the tag field. For tags that can’t be mapped to an appropriate type, the octets field holds the BER encoded ASN.1 content if there is any (though, octets is may also be used for other tags such as OCTET STRINGS or Opaque). Null values will only have their corresponding tag value set.

SNMP::PDU
Type:

record

request_id: int

error_status: int

error_index: int

bindings: SNMP::Bindings

A PDU data structure from either RFC 1157 or RFC 3416.

SNMP::ScopedPDU_Context
Type:

record

engine_id: string

name: string

The ScopedPduData data structure of an SNMPv3 datagram, not including the PDU data (i.e. just the “context” fields). See RFC 3412.

SNMP::TrapPDU
Type:

record

enterprise: string

agent: addr

generic_trap: int

specific_trap: int

time_stamp: count

bindings: SNMP::Bindings

A Trap-PDU data structure from RFC 1157.

SOCKS::Address
Type:

record

host: addr &optional &log

name: string &optional &log

Attributes:

&log

This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.

SSH::Algorithm_Prefs
Type:

record

client_to_server: vector of string &optional

The algorithm preferences for client to server communication

server_to_client: vector of string &optional

The algorithm preferences for server to client communication

The client and server each have some preferences for the algorithms used in each direction.

SSH::Capabilities
Type:

record

kex_algorithms: string_vec

Key exchange algorithms

server_host_key_algorithms: string_vec

The algorithms supported for the server host key

encryption_algorithms: SSH::Algorithm_Prefs

Symmetric encryption algorithm preferences

mac_algorithms: SSH::Algorithm_Prefs

Symmetric MAC algorithm preferences

compression_algorithms: SSH::Algorithm_Prefs

Compression algorithm preferences

languages: SSH::Algorithm_Prefs &optional

Language preferences

is_server: bool

Are these the capabilities of the server?

This record lists the preferences of an SSH endpoint for algorithm selection. During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. See RFC 4253#section-7.1 for details.

SSL::SignatureAndHashAlgorithm
Type:

record

HashAlgorithm: count

Hash algorithm number

SignatureAlgorithm: count

Signature algorithm number

SYN_packet