diff --git a/src/analyzer/protocol/dnp3/events.bif b/src/analyzer/protocol/dnp3/events.bif index a41f70897b..80f9504a9e 100644 --- a/src/analyzer/protocol/dnp3/events.bif +++ b/src/analyzer/protocol/dnp3/events.bif @@ -32,6 +32,8 @@ event dnp3_application_response_header%(c: connection, is_orig: bool, fc: count, ## ## qua_field: qualifier field. ## +## number: TODO. +## ## rf_low: the structure of the range field depends on the qualified field. ## In some cases, the range field contains only one logic part, e.g., ## number of objects, so only *rf_low* contains useful values. diff --git a/src/analyzer/protocol/modbus/events.bif b/src/analyzer/protocol/modbus/events.bif index dbbd7b78bb..537820f37d 100644 --- a/src/analyzer/protocol/modbus/events.bif +++ b/src/analyzer/protocol/modbus/events.bif @@ -149,7 +149,7 @@ event modbus_write_single_register_response%(c: connection, headers: ModbusHeade ## ## start_address: The memory address of the first coil to be written. ## -## value: The values to be written to the coils. +## coils: The values to be written to the coils. event modbus_write_multiple_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils%); ## Generated for a Modbus write multiple coils response. diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif index 216691dea1..cac18bfa3e 100644 --- a/src/analyzer/protocol/tcp/events.bif +++ b/src/analyzer/protocol/tcp/events.bif @@ -108,6 +108,8 @@ event connection_half_finished%(c: connection%); ## originator attempted to setup a TCP connection but the responder replied ## with a RST packet denying it. ## +## c: The connection. +## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close @@ -115,8 +117,6 @@ event connection_half_finished%(c: connection%); ## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## -## c: The connection. -## ## .. note:: ## ## If the responder does not respond at all, :bro:id:`connection_attempt` is diff --git a/src/event.bif b/src/event.bif index ddadb47f8a..bb0e98c7d6 100644 --- a/src/event.bif +++ b/src/event.bif @@ -591,7 +591,11 @@ event software_unparsed_version_found%(c: connection, host: addr, str: string%); ## and it raises this event for each system identified. The p0f fingerprints are ## defined by :bro:id:`passive_fingerprint_file`. ## -## TODO. +## c: The connection. +## +## host: The host running the reported OS. +## +## OS: The OS version string. ## ## .. bro:see:: passive_fingerprint_file software_parse_error ## software_version_found software_unparsed_version_found diff --git a/src/file_analysis/analyzer/unified2/events.bif b/src/file_analysis/analyzer/unified2/events.bif index c5f3dda6a4..a9134e5285 100644 --- a/src/file_analysis/analyzer/unified2/events.bif +++ b/src/file_analysis/analyzer/unified2/events.bif @@ -1,7 +1,17 @@ ## Abstract all of the various Unified2 event formats into ## a single event. +## +## f: The file. +## +## ev: TODO. +## event unified2_event%(f: fa_file, ev: Unified2::IDSEvent%); ## The Unified2 packet format event. +## +## f: The file. +## +## pkt: TODO. +## event unified2_packet%(f: fa_file, pkt: Unified2::Packet%);