mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 14:08:20 +00:00
Add DCE-RPC and NTLM abbreviation documentation for their events.
This commit is contained in:
Vlad Grigorescu
parent
d320fb2f7c
commit
25495e576a
2 changed files with 30 additions and 23 deletions
|
|
@ -1,11 +1,12 @@
|
|||
## Generated for every DCE-RPC message.
|
||||
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
|
||||
##
|
||||
## c: The connection.
|
||||
##
|
||||
## is_orig: True if the message was sent by the originator of the TCP connection.
|
||||
##
|
||||
## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
|
||||
## DCE-RPC was not transported over a pipe.
|
||||
## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
|
||||
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
|
||||
## not transported over a pipe.
|
||||
##
|
||||
## ptype_id: Numeric representation of the procedure type of the message.
|
||||
##
|
||||
|
|
@ -14,14 +15,15 @@
|
|||
## .. bro:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
|
||||
event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType%);
|
||||
|
||||
## Generated for every DCE-RPC bind request message. Since RPC offers the ability
|
||||
## for a client to request connections to multiple endpoints, this event can occur
|
||||
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
|
||||
## Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
|
||||
## multiple times for a single RPC message.
|
||||
##
|
||||
## c: The connection.
|
||||
##
|
||||
## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
|
||||
## DCE-RPC was not transported over a pipe.
|
||||
## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
|
||||
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
|
||||
## not transported over a pipe.
|
||||
##
|
||||
## uuid: The string interpretted uuid of the endpoint being requested.
|
||||
##
|
||||
|
|
@ -32,24 +34,26 @@ event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count
|
|||
## .. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
|
||||
event dce_rpc_bind%(c: connection, fid: count, uuid: string, ver_major: count, ver_minor: count%);
|
||||
|
||||
## Generated for every DCE-RPC bind request ack message.
|
||||
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
|
||||
##
|
||||
## c: The connection.
|
||||
##
|
||||
## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
|
||||
## DCE-RPC was not transported over a pipe.
|
||||
## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
|
||||
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
|
||||
## not transported over a pipe.
|
||||
##
|
||||
## sec_addr: Secondary address for the ack.
|
||||
##
|
||||
## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
|
||||
event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%);
|
||||
|
||||
## Generated for every DCE-RPC request message.
|
||||
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
|
||||
##
|
||||
## c: The connection.
|
||||
##
|
||||
## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
|
||||
## DCE-RPC was not transported over a pipe.
|
||||
## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
|
||||
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
|
||||
## not transported over a pipe.
|
||||
##
|
||||
## opnum: Number of the RPC operation.
|
||||
##
|
||||
|
|
@ -58,12 +62,13 @@ event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%);
|
|||
## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response
|
||||
event dce_rpc_request%(c: connection, fid: count, opnum: count, stub_len: count%);
|
||||
|
||||
## Generated for every DCE-RPC response message.
|
||||
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
|
||||
##
|
||||
## c: The connection.
|
||||
##
|
||||
## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
|
||||
## DCE-RPC was not transported over a pipe.
|
||||
## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
|
||||
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
|
||||
## not transported over a pipe.
|
||||
##
|
||||
## opnum: Number of the RPC operation.
|
||||
##
|
||||
|
|
@ -71,4 +76,3 @@ event dce_rpc_request%(c: connection, fid: count, opnum: count, stub_len: count%
|
|||
##
|
||||
## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request
|
||||
event dce_rpc_response%(c: connection, fid: count, opnum: count, stub_len: count%);
|
||||
|
||||
|
|
|
|||
|
|
@ -1,23 +1,26 @@
|
|||
## Generated for NTLM messages of type *negotiate*.
|
||||
## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
|
||||
##
|
||||
## c: The connection.
|
||||
##
|
||||
## negotiate: The parsed data of the NTLM message. See init-bare for more details.
|
||||
## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
|
||||
##
|
||||
## .. bro:see:: ntlm_challenge ntlm_authenticate
|
||||
event ntlm_negotiate%(c: connection, negotiate: NTLM::Negotiate%);
|
||||
|
||||
## Generated for NTLM messages of type *challenge*.
|
||||
## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
|
||||
##
|
||||
## c: The connection.
|
||||
##
|
||||
## negotiate: The parsed data of the NTLM message. See init-bare for more details.
|
||||
## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
|
||||
##
|
||||
## .. bro:see:: ntlm_negotiate ntlm_authenticate
|
||||
event ntlm_challenge%(c: connection, challenge: NTLM::Challenge%);
|
||||
|
||||
## Generated for NTLM messages of type *authenticate*.
|
||||
## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
|
||||
##
|
||||
## c: The connection.
|
||||
##
|
||||
## request: The parsed data of the NTLM message. See init-bare for more details.
|
||||
## request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
|
||||
##
|
||||
## .. bro:see:: ntlm_negotiate ntlm_challenge
|
||||
event ntlm_authenticate%(c: connection, request: NTLM::Authenticate%);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue