diff --git a/cmake b/cmake index 8cc03d64d0..c50757259f 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 8cc03d64d00676cb75a38543800ac0de192557dd +Subproject commit c50757259f509f13227cf28bbd4fd281828a39d2 diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 4d3e6dd917..b374c64d2c 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -133,9 +133,6 @@ set(BINPAC_AUXSRC binpac_target(binpac-lib.pac) binpac_target(binpac_bro-lib.pac) -binpac_target(netflow.pac - netflow-protocol.pac netflow-analyzer.pac) - ######################################################################## ## Including subdirectories. ######################################################################## @@ -212,7 +209,6 @@ set(bro_SRCS util.cc module_util.cc Anon.cc - ARP.cc Attr.cc Base64.cc BPF_Program.cc @@ -254,7 +250,6 @@ set(bro_SRCS IPAddr.cc List.cc Reporter.cc - MIME.cc NFA.cc Net.cc NetVar.cc diff --git a/src/Conn.cc b/src/Conn.cc index d6fc41c0b9..1756d3860e 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -935,7 +935,7 @@ error: return false; } -void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia) +void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia) { root_analyzer = analyzer; primary_PIA = pia; diff --git a/src/Conn.h b/src/Conn.h index 1b13500fad..95c521d875 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -245,9 +245,9 @@ public: void DeleteTimer(double t); // Sets the root of the analyzer tree as well as the primary PIA. - void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia); + void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia); analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; } - PIA* GetPrimaryPIA() { return primary_PIA; } + analyzer::pia::PIA* GetPrimaryPIA() { return primary_PIA; } // Sets the transport protocol in use. void SetTransport(TransportProto arg_proto) { proto = arg_proto; } @@ -319,7 +319,7 @@ protected: uint32 hist_seen; analyzer::TransportLayerAnalyzer* root_analyzer; - PIA* primary_PIA; + analyzer::pia::PIA* primary_PIA; uint64 uid; // Globally unique connection ID. }; diff --git a/src/NetVar.cc b/src/NetVar.cc index 7483728e44..32ab4a63c1 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -93,7 +93,6 @@ RecordType* http_stats_rec; RecordType* http_message_stat; int truncate_http_URI; -int pm_request; RecordType* pm_mapping; TableType* pm_mappings; RecordType* pm_port_request; @@ -408,14 +407,6 @@ void init_net_var() http_message_stat = internal_type("http_message_stat")->AsRecordType(); truncate_http_URI = opt_internal_int("truncate_http_URI"); - pm_request = pm_request_null || pm_request_set || - pm_request_unset || pm_request_getport || - pm_request_dump || pm_request_callit || - pm_attempt_null || pm_attempt_set || - pm_attempt_unset || pm_attempt_getport || - pm_attempt_dump || pm_attempt_callit || - pm_bad_port; - pm_mapping = internal_type("pm_mapping")->AsRecordType(); pm_mappings = internal_type("pm_mappings")->AsTableType(); pm_port_request = internal_type("pm_port_request")->AsRecordType(); diff --git a/src/NetVar.h b/src/NetVar.h index 88b5478149..35b94e09b7 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -96,7 +96,6 @@ extern RecordType* http_stats_rec; extern RecordType* http_message_stat; extern int truncate_http_URI; -extern int pm_request; extern RecordType* pm_mapping; extern TableType* pm_mappings; extern RecordType* pm_port_request; diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index b26ed9c9f5..2296628878 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -4,15 +4,15 @@ #include "analyzer/protocols/tcp/TCP.h" #include "Scope.h" -static inline bool is_established(const TCP_Endpoint* e) +static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e) { // We more or less follow Snort here: an established session // is one for which the initial handshake has succeded (but we // add partial connections). The connection tear-down is part // of the connection. - return e->state != TCP_ENDPOINT_INACTIVE && - e->state != TCP_ENDPOINT_SYN_SENT && - e->state != TCP_ENDPOINT_SYN_ACK_SENT; + return e->state != analyzer::tcp::TCP_ENDPOINT_INACTIVE && + e->state != analyzer::tcp::TCP_ENDPOINT_SYN_SENT && + e->state != analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT; } bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state, @@ -23,7 +23,7 @@ bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state, if ( ! root || ! root->IsAnalyzer("TCP") ) return false; - TCP_Analyzer* ta = static_cast(root); + analyzer::tcp::TCP_Analyzer* ta = static_cast(root); if ( tcpstates & STATE_STATELESS ) return true; diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 4c69576524..5b6f673a8a 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -161,7 +161,7 @@ void RuleHdrTest::PrintDebug() RuleEndpointState::RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, RuleEndpointState* arg_opposite, - ::PIA* arg_PIA) + analyzer::pia::PIA* arg_PIA) { payload_size = -1; analyzer = arg_analyzer; @@ -565,7 +565,7 @@ static inline bool compare(const vector& prefixes, const IPAddr& a, RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, RuleEndpointState* opposite, - bool from_orig, PIA* pia) + bool from_orig, analyzer::pia::PIA* pia) { RuleEndpointState* state = new RuleEndpointState(analyzer, from_orig, opposite, pia); @@ -1301,7 +1301,7 @@ uint32 id_to_uint(const char* id) } void RuleMatcherState::InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, - int caplen, bool from_orig, PIA* pia) + int caplen, bool from_orig, analyzer::pia::PIA* pia) { if ( ! rule_matcher ) return; diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index 1b2756594d..351c3c30bf 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -35,8 +35,10 @@ extern const char* current_rule_file; class RuleMatcher; extern RuleMatcher* rule_matcher; -namespace analyzer { class Analyzer; } -class PIA; +namespace analyzer { + namespace pia { class PIA; } + class Analyzer; +} // RuleHdrTest and associated things: @@ -152,7 +154,7 @@ public: // Returns -1 if no chunk has been fed yet at all. int PayloadSize() { return payload_size; } - ::PIA* PIA() const { return pia; } + analyzer::pia::PIA* PIA() const { return pia; } private: friend class RuleMatcher; @@ -160,7 +162,7 @@ private: // Constructor is private; use RuleMatcher::InitEndpoint() // for creating an instance. RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, - RuleEndpointState* arg_opposite, ::PIA* arg_PIA); + RuleEndpointState* arg_opposite, analyzer::pia::PIA* arg_PIA); struct Matcher { RE_Match_State* state; @@ -173,7 +175,7 @@ private: bool is_orig; analyzer::Analyzer* analyzer; RuleEndpointState* opposite; - ::PIA* pia; + analyzer::pia::PIA* pia; matcher_list matchers; rule_hdr_test_list hdr_tests; @@ -208,7 +210,7 @@ public: // this endpoint). If the matching is triggered by an PIA, a pointer to // it needs to be given. RuleEndpointState* InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, - int caplen, RuleEndpointState* opposite, bool is_orig, PIA* pia); + int caplen, RuleEndpointState* opposite, bool is_orig, analyzer::pia::PIA* pia); // Finish matching for this stream. void FinishEndpoint(RuleEndpointState* state); @@ -311,7 +313,7 @@ public: // ip may be nil. void InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, - int caplen, bool from_orig, PIA* pia = 0); + int caplen, bool from_orig, analyzer::pia::PIA* pia = 0); // bol/eol should be set to false for type Rule::PAYLOAD; they're // deduced automatically. diff --git a/src/Sessions.cc b/src/Sessions.cc index 739bbbe5e7..29c7a57e8f 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -20,8 +20,13 @@ #include "analyzer/protocols/udp/UDP.h" #include "analyzer/protocols/stepping-stone/SteppingStone.h" +#include "analyzer/protocols/stepping-stone/events.bif.h" #include "analyzer/protocols/backdoor/BackDoor.h" +#include "analyzer/protocols/backdoor/events.bif.h" #include "analyzer/protocols/interconn/InterConn.h" +#include "analyzer/protocols/interconn/events.bif.h" +#include "analyzer/protocols/arp/ARP.h" +#include "analyzer/protocols/arp/events.bif.h" #include "Discard.h" #include "RuleMatcher.h" @@ -102,7 +107,7 @@ NetSessions::NetSessions() fragments.SetDeleteFunc(bro_obj_delete_func); if ( stp_correlate_pair ) - stp_manager = new SteppingStoneManager(); + stp_manager = new analyzer::stepping_stone::SteppingStoneManager(); else stp_manager = 0; @@ -141,7 +146,7 @@ NetSessions::NetSessions() pkt_profiler = 0; if ( arp_request || arp_reply || bad_arp ) - arp_analyzer = new ARP_Analyzer(); + arp_analyzer = new analyzer::arp::ARP_Analyzer(); else arp_analyzer = 0; } @@ -254,7 +259,7 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr, DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0); } - else if ( ARP_Analyzer::IsARP(pkt, hdr_size) ) + else if ( analyzer::arp::ARP_Analyzer::IsARP(pkt, hdr_size) ) { if ( arp_analyzer ) arp_analyzer->NextPacket(t, hdr, pkt, hdr_size); @@ -521,9 +526,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, const struct icmp* icmpp = (const struct icmp *) data; id.src_port = icmpp->icmp_type; - id.dst_port = ICMP4_counterpart(icmpp->icmp_type, - icmpp->icmp_code, - id.is_one_way); + id.dst_port = analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type, + icmpp->icmp_code, + id.is_one_way); id.src_port = htons(id.src_port); id.dst_port = htons(id.dst_port); @@ -537,9 +542,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, const struct icmp* icmpp = (const struct icmp *) data; id.src_port = icmpp->icmp_type; - id.dst_port = ICMP6_counterpart(icmpp->icmp_type, - icmpp->icmp_code, - id.is_one_way); + id.dst_port = analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type, + icmpp->icmp_code, + id.is_one_way); id.src_port = htons(id.src_port); id.dst_port = htons(id.dst_port); @@ -962,12 +967,12 @@ void NetSessions::Remove(Connection* c) { c->CancelTimers(); - TCP_Analyzer* ta = (TCP_Analyzer*) c->GetRootAnalyzer(); + analyzer::tcp::TCP_Analyzer* ta = (analyzer::tcp::TCP_Analyzer*) c->GetRootAnalyzer(); if ( ta && c->ConnTransport() == TRANSPORT_TCP ) { assert(ta->IsAnalyzer("TCP")); - TCP_Endpoint* to = ta->Orig(); - TCP_Endpoint* tr = ta->Resp(); + analyzer::tcp::TCP_Endpoint* to = ta->Orig(); + analyzer::tcp::TCP_Endpoint* tr = ta->Resp(); tcp_stats.StateLeft(to->state, tr->state); } diff --git a/src/Sessions.h b/src/Sessions.h index 5b87518033..a5488bd188 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -6,7 +6,6 @@ #include "Dict.h" #include "CompHash.h" #include "IP.h" -#include "ARP.h" #include "Frag.h" #include "PacketFilter.h" #include "Stats.h" @@ -28,11 +27,12 @@ declare(PDict,Connection); declare(PDict,FragReassembler); class Discarder; -class SteppingStoneManager; class PacketFilter; - class PacketSortElement; +namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } } +namespace analyzer { namespace arp { class ARP_Analyzer; } } + struct SessionStats { int num_TCP_conns; int num_UDP_conns; @@ -129,7 +129,7 @@ public: void ExpireTimerMgrs(); - SteppingStoneManager* GetSTPManager() { return stp_manager; } + analyzer::stepping_stone::SteppingStoneManager* GetSTPManager() { return stp_manager; } unsigned int CurrentConnections() { @@ -185,7 +185,7 @@ public: unsigned int ConnectionMemoryUsage(); unsigned int ConnectionMemoryUsageConnVals(); unsigned int MemoryAllocation(); - TCPStateStats tcp_stats; // keeps statistics on TCP states + analyzer::tcp::TCPStateStats tcp_stats; // keeps statistics on TCP states protected: friend class RemoteSerializer; @@ -257,9 +257,9 @@ protected: typedef std::map IPTunnelMap; IPTunnelMap ip_tunnels; - ARP_Analyzer* arp_analyzer; + analyzer::arp::ARP_Analyzer* arp_analyzer; - SteppingStoneManager* stp_manager; + analyzer::stepping_stone::SteppingStoneManager* stp_manager; Discarder* discarder; PacketFilter* packet_filter; OSFingerprint* SYN_OS_Fingerprinter; diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 3800307c82..5769a6c58a 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -13,12 +13,13 @@ class Rule; class Connection; -class PIA; class IP_Hdr; -class TCP_ApplicationAnalyzer; namespace analyzer { +namespace tcp { class TCP_ApplicationAnalyzer; } +namespace pia { class PIA; } + class Analyzer; class AnalyzerTimer; class SupportAnalyzer; @@ -546,7 +547,7 @@ protected: friend class AnalyzerTimer; friend class Manager; friend class ::Connection; - friend class ::TCP_ApplicationAnalyzer; + friend class tcp::TCP_ApplicationAnalyzer; /** * Associates a connection with this analyzer. Must be called if @@ -825,13 +826,13 @@ public: * transport-layer input and determine which protocol analyzer(s) to * use for parsing it. */ - void SetPIA(PIA* arg_PIA) { pia = arg_PIA; } + void SetPIA(pia::PIA* arg_PIA) { pia = arg_PIA; } /** * Returns the associated PIA, or null of none. Does not take * ownership. */ - PIA* GetPIA() const { return pia; } + pia::PIA* GetPIA() const { return pia; } /** * Helper to raise a \c packet_contents event. @@ -843,7 +844,7 @@ public: void PacketContents(const u_char* data, int len); private: - PIA* pia; + pia::PIA* pia; }; } diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt index 1172b0d811..1d0589c5bf 100644 --- a/src/analyzer/CMakeLists.txt +++ b/src/analyzer/CMakeLists.txt @@ -15,4 +15,8 @@ set(analyzer_SRCS bif_target_for_subdir(analyzer.bif) +bro_plugin_dependencies(DCE_RPC generate_analyzer.bif) + add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC} ${BIF_OUTPUT_H}) + +add_dependencies(bro_analyzer generate_events.bif) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index aba7f26a56..45fce936fd 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -15,6 +15,8 @@ #include "plugin/Manager.h" +#include "protocols/tcp/events.bif.h" + using namespace analyzer; Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp, @@ -414,35 +416,35 @@ Manager::tag_set* Manager::LookupPort(PortVal* val, bool add_if_not_found) bool Manager::BuildInitialAnalyzerTree(Connection* conn) { Analyzer* analyzer = 0; - TCP_Analyzer* tcp = 0; - UDP_Analyzer* udp = 0; - ICMP_Analyzer* icmp = 0; + tcp::TCP_Analyzer* tcp = 0; + udp::UDP_Analyzer* udp = 0; + icmp::ICMP_Analyzer* icmp = 0; TransportLayerAnalyzer* root = 0; tag_set expected; - PIA* pia = 0; + pia::PIA* pia = 0; bool analyzed = false; bool check_port = false; switch ( conn->ConnTransport() ) { case TRANSPORT_TCP: - root = tcp = new TCP_Analyzer(conn); - pia = new PIA_TCP(conn); + root = tcp = new tcp::TCP_Analyzer(conn); + pia = new pia::PIA_TCP(conn); expected = GetScheduled(conn); check_port = true; DBG_ANALYZER(conn, "activated TCP analyzer"); break; case TRANSPORT_UDP: - root = udp = new UDP_Analyzer(conn); - pia = new PIA_UDP(conn); + root = udp = new udp::UDP_Analyzer(conn); + pia = new pia::PIA_UDP(conn); expected = GetScheduled(conn); check_port = true; DBG_ANALYZER(conn, "activated UDP analyzer"); break; case TRANSPORT_ICMP: { - root = icmp = new ICMP_Analyzer(conn); + root = icmp = new icmp::ICMP_Analyzer(conn); DBG_ANALYZER(conn, "activated ICMP analyzer"); analyzed = true; break; @@ -531,12 +533,12 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) if ( IsEnabled(analyzer_backdoor) ) // Add a BackDoor analyzer if requested. This analyzer // can handle both reassembled and non-reassembled input. - tcp->AddChildAnalyzer(new BackDoor_Analyzer(conn), false); + tcp->AddChildAnalyzer(new backdoor::BackDoor_Analyzer(conn), false); if ( IsEnabled(analyzer_interconn) ) // Add a InterConn analyzer if requested. This analyzer // can handle both reassembled and non-reassembled input. - tcp->AddChildAnalyzer(new InterConn_Analyzer(conn), false); + tcp->AddChildAnalyzer(new interconn::InterConn_Analyzer(conn), false); if ( IsEnabled(analyzer_stepping) ) { @@ -550,25 +552,25 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) { AddrVal src(conn->OrigAddr()); if ( ! stp_skip_src->Lookup(&src) ) - tcp->AddChildAnalyzer(new SteppingStone_Analyzer(conn), false); + tcp->AddChildAnalyzer(new stepping_stone::SteppingStone_Analyzer(conn), false); } } if ( IsEnabled(analyzer_tcpstats) ) // Add TCPStats analyzer. This needs to see packets so // we cannot add it as a normal child. - tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn)); + tcp->AddChildPacketAnalyzer(new tcp::TCPStats_Analyzer(conn)); if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. - tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn)); + tcp->AddChildPacketAnalyzer(new conn_size::ConnSize_Analyzer(conn)); } else { if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. - root->AddChildAnalyzer(new ConnSize_Analyzer(conn)); + root->AddChildAnalyzer(new conn_size::ConnSize_Analyzer(conn)); } if ( pia ) diff --git a/src/analyzer/protocols/CMakeLists.txt b/src/analyzer/protocols/CMakeLists.txt index 9fcbbdd2d5..004ec72d35 100644 --- a/src/analyzer/protocols/CMakeLists.txt +++ b/src/analyzer/protocols/CMakeLists.txt @@ -1,4 +1,5 @@ +add_subdirectory(arp) add_subdirectory(ayiya) add_subdirectory(backdoor) add_subdirectory(bittorrent) @@ -18,7 +19,9 @@ add_subdirectory(interconn) add_subdirectory(irc) add_subdirectory(login) add_subdirectory(modbus) +add_subdirectory(mime) add_subdirectory(ncp) +add_subdirectory(netflow) add_subdirectory(netbios-ssn) add_subdirectory(ntp) add_subdirectory(pia) diff --git a/src/analyzer/protocols/TODO b/src/analyzer/protocols/TODO index 6168bf4686..41a4d579bc 100644 --- a/src/analyzer/protocols/TODO +++ b/src/analyzer/protocols/TODO @@ -1,10 +1,8 @@ -- introduce namespace into analyzers -- fill events.bif - add functions.bif where needed -- move ARP -- move NetFlow - update *.h guards - cleanup analyzer descriptions - can now lower-case the analyzer name in plugin +- not sure cmake dependencies work right yet +- rename analyzers/protocols to analyzer/protocol diff --git a/src/ARP.cc b/src/analyzer/protocols/arp/ARP.cc similarity index 99% rename from src/ARP.cc rename to src/analyzer/protocols/arp/ARP.cc index 7ffd82764c..9173e853aa 100644 --- a/src/ARP.cc +++ b/src/analyzer/protocols/arp/ARP.cc @@ -5,6 +5,9 @@ #include "Event.h" #include "Reporter.h" +#include "events.bif.h" + +using namespace analyzer::arp; ARP_Analyzer::ARP_Analyzer() { diff --git a/src/ARP.h b/src/analyzer/protocols/arp/ARP.h similarity index 93% rename from src/ARP.h rename to src/analyzer/protocols/arp/ARP.h index f4b623c513..ee01669e92 100644 --- a/src/ARP.h +++ b/src/analyzer/protocols/arp/ARP.h @@ -24,7 +24,9 @@ #endif #include "NetVar.h" +#include "PacketSort.h" +namespace analyzer { namespace arp { class ARP_Analyzer : public BroObj { public: @@ -53,4 +55,6 @@ protected: EventHandlerPtr arp_reply; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/arp/CMakeLists.txt b/src/analyzer/protocols/arp/CMakeLists.txt new file mode 100644 index 0000000000..5654802b07 --- /dev/null +++ b/src/analyzer/protocols/arp/CMakeLists.txt @@ -0,0 +1,15 @@ + +# This is not an actual analyzer, but used by the core. We still +# maintain it here along with the other analyzers because conceptually +# it's also parsing a protocol just like them. The current structure +# is merely a left-over from when this code was written. + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ARP) +bro_plugin_cc(ARP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() + diff --git a/src/analyzer/protocols/arp/Plugin.cc b/src/analyzer/protocols/arp/Plugin.cc new file mode 100644 index 0000000000..06b4940719 --- /dev/null +++ b/src/analyzer/protocols/arp/Plugin.cc @@ -0,0 +1,7 @@ + +#include "plugin/Plugin.h" + +BRO_PLUGIN_BEGIN(ARP) + BRO_PLUGIN_DESCRIPTION("ARP Parsing Code"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/arp/events.bif b/src/analyzer/protocols/arp/events.bif new file mode 100644 index 0000000000..efee33d7f4 --- /dev/null +++ b/src/analyzer/protocols/arp/events.bif @@ -0,0 +1,63 @@ +## Generated for ARP requests. +## +## See `Wikipedia `__ +## for more information about the ARP protocol. +## +## mac_src: The request's source MAC address. +## +## mac_dst: The request's destination MAC address. +## +## SPA: The sender protocol address. +## +## SHA: The sender hardware address. +## +## TPA: The target protocol address. +## +## THA: The target hardware address. +## +## .. bro:see:: arp_reply bad_arp +event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, + TPA: addr, THA: string%); + +## Generated for ARP replies. +## +## See `Wikipedia `__ +## for more information about the ARP protocol. +## +## mac_src: The reply's source MAC address. +## +## mac_dst: The reply's destination MAC address. +## +## SPA: The sender protocol address. +## +## SHA: The sender hardware address. +## +## TPA: The target protocol address. +## +## THA: The target hardware address. +## +## .. bro:see:: arp_request bad_arp +event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, + TPA: addr, THA: string%); + +## Generated for ARP packets that Bro cannot interpret. Examples are packets +## with non-standard hardware address formats or hardware addresses that do not +## match the originator of the packet. +## +## SPA: The sender protocol address. +## +## SHA: The sender hardware address. +## +## TPA: The target protocol address. +## +## THA: The target hardware address. +## +## explanation: A short description of why the ARP packet is considered "bad". +## +## .. bro:see:: arp_reply arp_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%); diff --git a/src/analyzer/protocols/ayiya/AYIYA.cc b/src/analyzer/protocols/ayiya/AYIYA.cc index 2154ae4b30..070a3ef3e1 100644 --- a/src/analyzer/protocols/ayiya/AYIYA.cc +++ b/src/analyzer/protocols/ayiya/AYIYA.cc @@ -1,4 +1,9 @@ + #include "AYIYA.h" +#include "Func.h" +#include "events.bif.h" + +using namespace analyzer::ayiya; AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn) : Analyzer("AYIYA", conn) diff --git a/src/analyzer/protocols/ayiya/AYIYA.h b/src/analyzer/protocols/ayiya/AYIYA.h index c0897d84ff..2995131be5 100644 --- a/src/analyzer/protocols/ayiya/AYIYA.h +++ b/src/analyzer/protocols/ayiya/AYIYA.h @@ -3,6 +3,8 @@ #include "ayiya_pac.h" +namespace analyzer { namespace ayiya { + class AYIYA_Analyzer : public analyzer::Analyzer { public: AYIYA_Analyzer(Connection* conn); @@ -21,4 +23,6 @@ protected: binpac::AYIYA::AYIYA_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ayiya/Plugin.cc b/src/analyzer/protocols/ayiya/Plugin.cc index 1ec9887534..069aedde0a 100644 --- a/src/analyzer/protocols/ayiya/Plugin.cc +++ b/src/analyzer/protocols/ayiya/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(AYIYA) BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer"); - BRO_PLUGIN_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("AYIYA", ayiya::AYIYA_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ayiya/ayiya.pac b/src/analyzer/protocols/ayiya/ayiya.pac index ff0af4d47c..b1f3a6ef77 100644 --- a/src/analyzer/protocols/ayiya/ayiya.pac +++ b/src/analyzer/protocols/ayiya/ayiya.pac @@ -2,6 +2,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer AYIYA withcontext { connection: AYIYA_Conn; flow: AYIYA_Flow; diff --git a/src/analyzer/protocols/backdoor/BackDoor.cc b/src/analyzer/protocols/backdoor/BackDoor.cc index 00a1319e53..19b1a341a7 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.cc +++ b/src/analyzer/protocols/backdoor/BackDoor.cc @@ -7,7 +7,11 @@ #include "Net.h" #include "analyzer/protocols/tcp/TCP.h" -BackDoorEndpoint::BackDoorEndpoint(TCP_Endpoint* e) +#include "events.bif.h" + +using namespace analyzer::backdoor; + +BackDoorEndpoint::BackDoorEndpoint(tcp::TCP_Endpoint* e) { endp = e; is_partial = 0; @@ -53,7 +57,7 @@ int BackDoorEndpoint::DataSent(double /* t */, int seq, if ( len <= 0 ) return 0; - if ( endp->state == TCP_ENDPOINT_PARTIAL ) + if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL ) is_partial = 1; int ack = endp->AckSeq() - endp->StartSeq(); @@ -681,7 +685,7 @@ int BackDoorEndpoint::CheckForString(const char* str, BackDoor_Analyzer::BackDoor_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("BACKDOOR", c) +: tcp::TCP_ApplicationAnalyzer("BACKDOOR", c) { orig_endp = resp_endp = 0; @@ -701,7 +705,7 @@ BackDoor_Analyzer::~BackDoor_Analyzer() void BackDoor_Analyzer::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); assert(TCP()); orig_endp = new BackDoorEndpoint(TCP()->Orig()); @@ -740,7 +744,7 @@ void BackDoor_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void BackDoor_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( ! IsFinished() ) { diff --git a/src/analyzer/protocols/backdoor/BackDoor.h b/src/analyzer/protocols/backdoor/BackDoor.h index 1865cdd1ef..bab981cf89 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.h +++ b/src/analyzer/protocols/backdoor/BackDoor.h @@ -8,9 +8,11 @@ #include "NetVar.h" #include "analyzer/protocols/login/Login.h" +namespace analyzer { namespace backdoor { + class BackDoorEndpoint { public: - BackDoorEndpoint(TCP_Endpoint* e); + BackDoorEndpoint(tcp::TCP_Endpoint* e); int DataSent(double t, int seq, int len, int caplen, const u_char* data, const IP_Hdr* ip, const struct tcphdr* tp); @@ -44,7 +46,7 @@ protected: int CheckForFullString(const char* str, const u_char* data, int len); int CheckForString(const char* str, const u_char* data, int len); - TCP_Endpoint* endp; + tcp::TCP_Endpoint* endp; int is_partial; int max_top_seq; @@ -62,7 +64,7 @@ protected: uint32 num_7bit_ascii; }; -class BackDoor_Analyzer : public TCP_ApplicationAnalyzer { +class BackDoor_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: BackDoor_Analyzer(Connection* c); ~BackDoor_Analyzer(); @@ -105,4 +107,6 @@ protected: BackDoor_Analyzer* analyzer; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/backdoor/Plugin.cc b/src/analyzer/protocols/backdoor/Plugin.cc index 586b9ef139..afcf60edbc 100644 --- a/src/analyzer/protocols/backdoor/Plugin.cc +++ b/src/analyzer/protocols/backdoor/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(BackDoor) BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("BACKDOOR", backdoor::BackDoor_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/backdoor/events.bif b/src/analyzer/protocols/backdoor/events.bif index e69de29bb2..81676ee43b 100644 --- a/src/analyzer/protocols/backdoor/events.bif +++ b/src/analyzer/protocols/backdoor/events.bif @@ -0,0 +1,32 @@ +## Deprecated. Will be removed. +event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%); + +## Deprecated. Will be removed. +event backdoor_remove_conn%(c: connection%); + +## Deprecated. Will be removed. +event ftp_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event gnutella_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event http_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event irc_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event telnet_signature_found%(c: connection, is_orig: bool, len: count%); + +## Deprecated. Will be removed. +event ssh_signature_found%(c: connection, is_orig: bool%); + +## Deprecated. Will be removed. +event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%); + +## Deprecated. Will be removed. +event smtp_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event http_proxy_signature_found%(c: connection%); diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.cc b/src/analyzer/protocols/bittorrent/BitTorrent.cc index 05e9ae8fba..fc66987cc7 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrent.cc @@ -3,8 +3,12 @@ #include "BitTorrent.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::bittorrent; + BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("BITTORRENT", c) +: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) { interp = new binpac::BitTorrent::BitTorrent_Conn(this); stop_orig = stop_resp = false; @@ -18,7 +22,7 @@ BitTorrent_Analyzer::~BitTorrent_Analyzer() void BitTorrent_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -29,7 +33,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) uint64& this_stream_len = orig ? stream_len_orig : stream_len_resp; bool& this_stop = orig ? stop_orig : stop_resp; - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -66,7 +70,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // TODO: Code commented out for now. I think that shoving data that // is definitely wrong into the parser seems like a really bad idea. @@ -108,7 +112,7 @@ void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig) void BitTorrent_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.h b/src/analyzer/protocols/bittorrent/BitTorrent.h index 0a36442ab9..7812261f04 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.h +++ b/src/analyzer/protocols/bittorrent/BitTorrent.h @@ -7,7 +7,9 @@ #include "bittorrent_pac.h" -class BitTorrent_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace bittorrent { + +class BitTorrent_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: BitTorrent_Analyzer(Connection* conn); virtual ~BitTorrent_Analyzer(); @@ -28,4 +30,6 @@ protected: uint64 stream_len_orig, stream_len_resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc index cf8dcff6ba..18d1fe8ab9 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc @@ -3,6 +3,8 @@ #include "BitTorrentTracker.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + #include #include @@ -11,6 +13,8 @@ # define FMT_INT "%" PRId64 # define FMT_UINT "%" PRIu64 +using namespace analyzer::bittorrent; + static TableType* bt_tracker_headers = 0; static RecordType* bittorrent_peer; static TableType* bittorrent_peer_set; @@ -18,7 +22,7 @@ static RecordType* bittorrent_benc_value; static TableType* bittorrent_benc_dir; BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("BITTORRENT", c) +: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) { if ( ! bt_tracker_headers ) { @@ -74,13 +78,13 @@ BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer() void BitTorrentTracker_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); } void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -205,7 +209,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data) void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); ProtocolViolation("BitTorrentTracker: cannot recover from content gap"); @@ -217,7 +221,7 @@ void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig) void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); } void BitTorrentTracker_Analyzer::InitBencParser(void) diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h index 70f3004acb..8db92c6af7 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h @@ -7,6 +7,8 @@ #define BTTRACKER_BUF 2048 +namespace analyzer { namespace bittorrent { + // If the following is defined, then the analyzer will store all of // the headers seen in tracker messages. //#define BTTRACKER_STORE_HEADERS 1 @@ -40,7 +42,7 @@ enum btt_benc_states { BENC_STATE_STR2, }; -class BitTorrentTracker_Analyzer : public TCP_ApplicationAnalyzer { +class BitTorrentTracker_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: BitTorrentTracker_Analyzer(Connection* conn); virtual ~BitTorrentTracker_Analyzer(); @@ -126,4 +128,6 @@ protected: bool stop_orig, stop_resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/bittorrent/Plugin.cc b/src/analyzer/protocols/bittorrent/Plugin.cc index c028956ce9..59e81749ce 100644 --- a/src/analyzer/protocols/bittorrent/Plugin.cc +++ b/src/analyzer/protocols/bittorrent/Plugin.cc @@ -6,7 +6,7 @@ BRO_PLUGIN_BEGIN(BitTorrent) BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer"); - BRO_PLUGIN_ANALYZER("BitTorrent", BitTorrent_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("BitTorrentTracker", BitTorrentTracker_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("BitTorrent", bittorrent::BitTorrent_Analyzer); + BRO_PLUGIN_ANALYZER("BitTorrentTracker", bittorrent::BitTorrent_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/bittorrent/bittorrent.pac b/src/analyzer/protocols/bittorrent/bittorrent.pac index f6255902dd..39e53596dd 100644 --- a/src/analyzer/protocols/bittorrent/bittorrent.pac +++ b/src/analyzer/protocols/bittorrent/bittorrent.pac @@ -5,6 +5,8 @@ %extern{ #define MSGLEN_LIMIT 0x40000 + +#include "events.bif.h" %} analyzer BitTorrent withcontext { diff --git a/src/analyzer/protocols/bittorrent/events.bif b/src/analyzer/protocols/bittorrent/events.bif index e69de29bb2..8c4ddc146f 100644 --- a/src/analyzer/protocols/bittorrent/events.bif +++ b/src/analyzer/protocols/bittorrent/events.bif @@ -0,0 +1,226 @@ +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_handshake%(c: connection, is_orig: bool, + reserved: string, info_hash: string, peer_id: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bittorrent_peer_choke%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request +## bittorrent_peer_unknown bittorrent_peer_weird +event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_interested%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake +## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, + begin: count, length: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, + begin: count, piece_length: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, + begin: count, length: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_weird +event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, + data: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown +event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_request%(c: connection, uri: string, + headers: bt_tracker_headers%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_response%(c: connection, status: count, + headers: bt_tracker_headers, + peers: bittorrent_peer_set, + benc: bittorrent_benc_dir%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_response_not_ok%(c: connection, status: count, + headers: bt_tracker_headers%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%); + diff --git a/src/analyzer/protocols/conn-size/ConnSize.cc b/src/analyzer/protocols/conn-size/ConnSize.cc index a5a401a816..7d85fe4a0c 100644 --- a/src/analyzer/protocols/conn-size/ConnSize.cc +++ b/src/analyzer/protocols/conn-size/ConnSize.cc @@ -6,7 +6,9 @@ #include "ConnSize.h" #include "analyzer/protocols/tcp/TCP.h" +#include "events.bif.h" +using namespace analyzer::conn_size; ConnSize_Analyzer::ConnSize_Analyzer(Connection* c) : Analyzer("CONNSIZE", c) diff --git a/src/analyzer/protocols/conn-size/ConnSize.h b/src/analyzer/protocols/conn-size/ConnSize.h index 6eac519c88..567895a9f5 100644 --- a/src/analyzer/protocols/conn-size/ConnSize.h +++ b/src/analyzer/protocols/conn-size/ConnSize.h @@ -7,6 +7,7 @@ #include "analyzer/Analyzer.h" #include "NetVar.h" +namespace analyzer { namespace conn_size { class ConnSize_Analyzer : public analyzer::Analyzer { public: @@ -34,4 +35,6 @@ protected: uint64_t resp_pkts; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/conn-size/Plugin.cc b/src/analyzer/protocols/conn-size/Plugin.cc index 7520d9b7b5..5ff2ed201d 100644 --- a/src/analyzer/protocols/conn-size/Plugin.cc +++ b/src/analyzer/protocols/conn-size/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(ConnSize) BRO_PLUGIN_DESCRIPTION("Connection size analyzer"); - BRO_PLUGIN_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("CONNSIZE", conn_size::ConnSize_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.cc b/src/analyzer/protocols/dce-rpc/DCE_RPC.cc index f01edc9c8a..dd31cfa8a7 100644 --- a/src/analyzer/protocols/dce-rpc/DCE_RPC.cc +++ b/src/analyzer/protocols/dce-rpc/DCE_RPC.cc @@ -13,6 +13,10 @@ using namespace std; #include "analyzer/Manager.h" +#include "events.bif.h" + +using namespace analyzer::dce_rpc; + #define xbyte(b, n) (((const u_char*) (b))[n]) #define extract_uint16(little_endian, bytes) \ @@ -27,7 +31,7 @@ static int uuid_index[] = { 12, 13, 14, 15 }; -const char* uuid_to_string(const u_char* uuid_data) +const char* analyzer::dce_rpc::uuid_to_string(const u_char* uuid_data) { static char s[1024]; char* sp = s; @@ -443,7 +447,7 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse( Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* arg_session, bool speculative) -: TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) { session = arg_session; msg_buf = 0; @@ -475,10 +479,10 @@ Contents_DCE_RPC_Analyzer::~Contents_DCE_RPC_Analyzer() void Contents_DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); - TCP_Analyzer* tcp = - static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = + static_cast(Parent())->TCP(); if ( tcp->HadGap(orig) || tcp->IsPartial() ) return; @@ -567,7 +571,7 @@ bool Contents_DCE_RPC_Analyzer::ParseHeader() } DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative) -: TCP_ApplicationAnalyzer("DCE_RPC", conn) +: tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) { session = new DCE_RPC_Session(this); speculative = arg_speculative; diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.h b/src/analyzer/protocols/dce-rpc/DCE_RPC.h index 7ad3cd1e13..fabd68912e 100644 --- a/src/analyzer/protocols/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocols/dce-rpc/DCE_RPC.h @@ -8,10 +8,14 @@ #include "NetVar.h" #include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/dce-rpc/events.bif.h" #include "IPAddr.h" #include "dce_rpc_simple_pac.h" + +namespace analyzer { namespace dce_rpc { + class UUID { public: UUID(); @@ -145,7 +149,7 @@ protected: } mapped; }; -class Contents_DCE_RPC_Analyzer : public TCP_SupportAnalyzer { +class Contents_DCE_RPC_Analyzer : public tcp::TCP_SupportAnalyzer { public: Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* session, bool speculative); @@ -169,7 +173,7 @@ protected: DCE_RPC_Session* session; }; -class DCE_RPC_Analyzer : public TCP_ApplicationAnalyzer { +class DCE_RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: DCE_RPC_Analyzer(Connection* conn, bool speculative = false); ~DCE_RPC_Analyzer(); @@ -182,4 +186,6 @@ protected: bool speculative; }; +} } // namespace analyzer::* + #endif /* dce_rpc_h */ diff --git a/src/analyzer/protocols/dce-rpc/Plugin.cc b/src/analyzer/protocols/dce-rpc/Plugin.cc index b818806076..5e35af7c0d 100644 --- a/src/analyzer/protocols/dce-rpc/Plugin.cc +++ b/src/analyzer/protocols/dce-rpc/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(DCE_RPC) BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer"); - BRO_PLUGIN_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("DCE_RPC", dce_rpc::DCE_RPC_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc.pac b/src/analyzer/protocols/dce-rpc/dce_rpc.pac index cbcd0cbdc4..632d2304a1 100644 --- a/src/analyzer/protocols/dce-rpc/dce_rpc.pac +++ b/src/analyzer/protocols/dce-rpc/dce_rpc.pac @@ -1,6 +1,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer DCE_RPC withcontext { connection: DCE_RPC_Conn; flow: DCE_RPC_Flow; diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac b/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac index f31c2a078b..1bf0387b1d 100644 --- a/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac +++ b/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac @@ -1,5 +1,9 @@ %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer DCE_RPC_Simple withcontext {}; %include dce_rpc-protocol.pac diff --git a/src/analyzer/protocols/dce-rpc/events.bif b/src/analyzer/protocols/dce-rpc/events.bif index e69de29bb2..bdabb674fa 100644 --- a/src/analyzer/protocols/dce-rpc/events.bif +++ b/src/analyzer/protocols/dce-rpc/events.bif @@ -0,0 +1,55 @@ +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_bind%(c: connection, uuid: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_request%(c: connection, opnum: count, stub: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message +## dce_rpc_request rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_response%(c: connection, opnum: count, stub: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message +## dce_rpc_request dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); + diff --git a/src/analyzer/protocols/dhcp/DHCP.cc b/src/analyzer/protocols/dhcp/DHCP.cc index a590db19ca..8d05aef37d 100644 --- a/src/analyzer/protocols/dhcp/DHCP.cc +++ b/src/analyzer/protocols/dhcp/DHCP.cc @@ -1,6 +1,10 @@ #include "DHCP.h" +#include "events.bif.h" + +using namespace analyzer::dhcp; + DHCP_Analyzer::DHCP_Analyzer(Connection* conn) : Analyzer("DHCP", conn) { diff --git a/src/analyzer/protocols/dhcp/DHCP.h b/src/analyzer/protocols/dhcp/DHCP.h index 5c12e52cc5..189e04ecab 100644 --- a/src/analyzer/protocols/dhcp/DHCP.h +++ b/src/analyzer/protocols/dhcp/DHCP.h @@ -5,6 +5,8 @@ #include "dhcp_pac.h" +namespace analyzer { namespace dhcp { + class DHCP_Analyzer : public analyzer::Analyzer { public: DHCP_Analyzer(Connection* conn); @@ -21,4 +23,6 @@ protected: binpac::DHCP::DHCP_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/dhcp/Plugin.cc b/src/analyzer/protocols/dhcp/Plugin.cc index 32225d5bec..e1ee02db95 100644 --- a/src/analyzer/protocols/dhcp/Plugin.cc +++ b/src/analyzer/protocols/dhcp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(DHCP) BRO_PLUGIN_DESCRIPTION("DHCP Analyzer"); - BRO_PLUGIN_ANALYZER("DHCP", DHCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("DHCP", dhcp::DHCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dhcp/dhcp.pac b/src/analyzer/protocols/dhcp/dhcp.pac index 9e9d7755a4..c4a684badc 100644 --- a/src/analyzer/protocols/dhcp/dhcp.pac +++ b/src/analyzer/protocols/dhcp/dhcp.pac @@ -1,5 +1,9 @@ %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer DHCP withcontext { connection: DHCP_Conn; flow: DHCP_Flow; diff --git a/src/analyzer/protocols/dhcp/events.bif b/src/analyzer/protocols/dhcp/events.bif index e69de29bb2..741504185e 100644 --- a/src/analyzer/protocols/dhcp/events.bif +++ b/src/analyzer/protocols/dhcp/events.bif @@ -0,0 +1,239 @@ +## Generated for DHCP messages of type *discover*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## req_addr: The specific address requested by the client. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); + +## Generated for DHCP messages of type *offer*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: TODO. +## +## mask: The subnet mask specified by the message. +## +## router: The list of routers specified by the message. +## +## lease: The least interval specified by the message. +## +## serv_addr: The server address specified by the message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); + +## Generated for DHCP messages of type *request*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## req_addr: The client address specified by the message. +## +## serv_addr: The server address specified by the message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%); + +## Generated for DHCP messages of type *decline*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_decline%(c: connection, msg: dhcp_msg%); + +## Generated for DHCP messages of type *acknowledgment*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## mask: The subnet mask specified by the message. +## +## router: The list of routers specified by the message. +## +## lease: The least interval specified by the message. +## +## serv_addr: The server address specified by the message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); + +## Generated for DHCP messages of type *negative acknowledgment*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_nak%(c: connection, msg: dhcp_msg%); + +## Generated for DHCP messages of type *release*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_release%(c: connection, msg: dhcp_msg%); + +## Generated for DHCP messages of type *inform*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_inform%(c: connection, msg: dhcp_msg%); + diff --git a/src/analyzer/protocols/dns/DNS.cc b/src/analyzer/protocols/dns/DNS.cc index 7cab27c4b9..4901df4417 100644 --- a/src/analyzer/protocols/dns/DNS.cc +++ b/src/analyzer/protocols/dns/DNS.cc @@ -12,6 +12,10 @@ #include "Sessions.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::dns; + DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; @@ -993,7 +997,7 @@ Val* DNS_MsgInfo::BuildTSIG_Val() Contents_DNS::Contents_DNS(Connection* conn, bool orig, DNS_Interpreter* arg_interp) -: TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) { interp = arg_interp; @@ -1080,7 +1084,7 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig) } DNS_Analyzer::DNS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("DNS", conn) +: tcp::TCP_ApplicationAnalyzer("DNS", conn) { interp = new DNS_Interpreter(this); contents_dns_orig = contents_dns_resp = 0; @@ -1112,7 +1116,7 @@ void DNS_Analyzer::Init() void DNS_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done ) Event(udp_session_done); @@ -1123,7 +1127,7 @@ void DNS_Analyzer::Done() void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); if ( orig ) { @@ -1141,10 +1145,10 @@ void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, } -void DNS_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, +void DNS_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, tcp::TCP_Endpoint* peer, int gen_event) { - TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); + tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); assert(contents_dns_orig && contents_dns_resp); contents_dns_orig->Flush(); diff --git a/src/analyzer/protocols/dns/DNS.h b/src/analyzer/protocols/dns/DNS.h index ca87f862c0..fc19fe82b3 100644 --- a/src/analyzer/protocols/dns/DNS.h +++ b/src/analyzer/protocols/dns/DNS.h @@ -6,6 +6,8 @@ #include "analyzer/protocols/tcp/TCP.h" #include "binpac_bro.h" +namespace analyzer { namespace dns { + typedef enum { DNS_OP_QUERY = 0, ///< standard query DNS_OP_IQUERY = 1, ///< reverse query @@ -229,7 +231,7 @@ typedef enum { // Support analyzer which chunks the TCP stream into "packets". // ### This should be merged with TCP_Contents_RPC. -class Contents_DNS : public TCP_SupportAnalyzer { +class Contents_DNS : public tcp::TCP_SupportAnalyzer { public: Contents_DNS(Connection* c, bool orig, DNS_Interpreter* interp); ~Contents_DNS(); @@ -251,7 +253,7 @@ protected: }; // Works for both TCP and UDP. -class DNS_Analyzer : public TCP_ApplicationAnalyzer { +class DNS_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: DNS_Analyzer(Connection* conn); ~DNS_Analyzer(); @@ -261,8 +263,8 @@ public: virtual void Init(); virtual void Done(); - virtual void ConnectionClosed(TCP_Endpoint* endpoint, - TCP_Endpoint* peer, int gen_event); + virtual void ConnectionClosed(tcp::TCP_Endpoint* endpoint, + tcp::TCP_Endpoint* peer, int gen_event); void ExpireTimer(double t); @@ -279,4 +281,6 @@ protected: // FIXME: Doesn't really fit into new analyzer structure. What to do? int IsReuse(double t, const u_char* pkt); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/dns/Plugin.cc b/src/analyzer/protocols/dns/Plugin.cc index 6bd4415f0e..e731f191da 100644 --- a/src/analyzer/protocols/dns/Plugin.cc +++ b/src/analyzer/protocols/dns/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(DNS) BRO_PLUGIN_DESCRIPTION("DNS Analyzer"); - BRO_PLUGIN_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("DNS", dns::DNS_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dns/events.bif b/src/analyzer/protocols/dns/events.bif index e69de29bb2..95c604a8b8 100644 --- a/src/analyzer/protocols/dns/events.bif +++ b/src/analyzer/protocols/dns/events.bif @@ -0,0 +1,482 @@ +## Generated for all DNS messages. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## msg: The parsed DNS message header. +## +## len: The length of the message's raw representation (i.e., the DNS payload). +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected +## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%); + +## Generated for DNS requests. For requests with multiple queries, this event +## is raised once for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## query: The queried name. +## +## qtype: The queried resource record type. +## +## qclass: The queried resource record class. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); + +## Generated for DNS replies that reject a query. This event is raised if a DNS +## reply either indicates failure via its status code or does not pass on any +## answers to a query. Note that all of the event's parameters are parsed out of +## the reply; there's no stateful correlation with the query. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## query: The queried name. +## +## qtype: The queried resource record type. +## +## qclass: The queried resource record class. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); + +## Generated for DNS replies with an *ok* status code but no question section. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## query: The queried name. +## +## qtype: The queried resource record type. +## +## qclass: The queried resource record class. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_rejected +## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_query_reply%(c: connection, msg: dns_msg, query: string, + qtype: count, qclass: count%); + +## Generated for DNS replies of type *A*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## a: The address returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply +## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); + +## Generated for DNS replies of type *AAAA*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## a: The address returned by the reply. +## +## .. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); + +## Generated for DNS replies of type *A6*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## a: The address returned by the reply. +## +## .. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); + +## Generated for DNS replies of type *NS*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); + +## Generated for DNS replies of type *CNAME*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); + +## Generated for DNS replies of type *PTR*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); + +## Generated for DNS replies of type *CNAME*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## soa: The parsed SOA value. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%); + +## Generated for DNS replies of type *WKS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%); + +## Generated for DNS replies of type *HINFO*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%); + +## Generated for DNS replies of type *MX*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## preference: The preference for *name* specified by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%); + +## Generated for DNS replies of type *TXT*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## str: The textual information returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%); + +## Generated for DNS replies of type *SRV*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%); + +## Generated for DNS replies of type *EDNS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The parsed EDNS reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); + +## Generated for DNS replies of type *TSIG*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The parsed TSIG reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%); + +## Generated at the end of processing a DNS packet. This event is the last +## ``dns_*`` event that will be raised for a DNS query/reply and signals that +## all resource records have been passed on. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_end%(c: connection, msg: dns_msg%); + +## Deprecated. Will be removed. +## +## .. todo:: Unclear what this event is for; it's never raised. We should just +## remove it. +event dns_full_request%(%); + +## msg: The raw DNS payload. +## +## .. note:: This event is deprecated and superseded by Bro's dynamic protocol +## detection framework. +event non_dns_request%(c: connection, msg: string%); diff --git a/src/analyzer/protocols/file/File.cc b/src/analyzer/protocols/file/File.cc index 664e0a8c4c..66de4c2cb4 100644 --- a/src/analyzer/protocols/file/File.cc +++ b/src/analyzer/protocols/file/File.cc @@ -4,11 +4,15 @@ #include "Reporter.h" #include "util.h" +#include "events.bif.h" + +using namespace analyzer::file; + magic_t File_Analyzer::magic = 0; magic_t File_Analyzer::magic_mime = 0; File_Analyzer::File_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("FILE", conn) +: tcp::TCP_ApplicationAnalyzer("FILE", conn) { buffer_len = 0; @@ -18,7 +22,7 @@ File_Analyzer::File_Analyzer(Connection* conn) void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); int n = min(len, BUFFER_SIZE - buffer_len); @@ -35,7 +39,7 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void File_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( buffer_len && buffer_len != BUFFER_SIZE ) Identify(); diff --git a/src/analyzer/protocols/file/File.h b/src/analyzer/protocols/file/File.h index ae55a34885..ae6a815378 100644 --- a/src/analyzer/protocols/file/File.h +++ b/src/analyzer/protocols/file/File.h @@ -7,7 +7,9 @@ #include -class File_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace file { + +class File_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: File_Analyzer(Connection* conn); @@ -29,4 +31,6 @@ protected: static magic_t magic_mime; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/file/Plugin.cc b/src/analyzer/protocols/file/Plugin.cc index a5868e0d7e..ad4e917742 100644 --- a/src/analyzer/protocols/file/Plugin.cc +++ b/src/analyzer/protocols/file/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(File) BRO_PLUGIN_DESCRIPTION("Generic File Analyzer"); - BRO_PLUGIN_ANALYZER("File", File_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("File", file::File_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/file/events.bif b/src/analyzer/protocols/file/events.bif index e69de29bb2..4277f1975f 100644 --- a/src/analyzer/protocols/file/events.bif +++ b/src/analyzer/protocols/file/events.bif @@ -0,0 +1,3 @@ +## TODO. +## +event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); diff --git a/src/analyzer/protocols/finger/Finger.cc b/src/analyzer/protocols/finger/Finger.cc index cdebed9bb9..dce2cfef9f 100644 --- a/src/analyzer/protocols/finger/Finger.cc +++ b/src/analyzer/protocols/finger/Finger.cc @@ -9,25 +9,29 @@ #include "Event.h" #include "analyzer/protocols/tcp/ContentLine.h" +#include "events.bif.h" + +using namespace analyzer::finger; + Finger_Analyzer::Finger_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("FINGER", conn) +: tcp::TCP_ApplicationAnalyzer("FINGER", conn) { did_deliver = 0; - content_line_orig = new ContentLine_Analyzer(conn, true); + content_line_orig = new tcp::ContentLine_Analyzer(conn, true); content_line_orig->SetIsNULSensitive(true); - content_line_resp = new ContentLine_Analyzer(conn, false); + content_line_resp = new tcp::ContentLine_Analyzer(conn, false); AddSupportAnalyzer(content_line_orig); AddSupportAnalyzer(content_line_resp); } void Finger_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( TCP() ) if ( (! did_deliver || content_line_orig->HasPartialLine()) && - (TCP()->OrigState() == TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) ) + (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) ) // ### should include the partial text Weird("partial_finger_request"); } diff --git a/src/analyzer/protocols/finger/Finger.h b/src/analyzer/protocols/finger/Finger.h index f069daa8c7..d80549bb4c 100644 --- a/src/analyzer/protocols/finger/Finger.h +++ b/src/analyzer/protocols/finger/Finger.h @@ -4,10 +4,11 @@ #define finger_h #include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" -class ContentLine_Analyzer; +namespace analyzer { namespace finger { -class Finger_Analyzer : public TCP_ApplicationAnalyzer { +class Finger_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Finger_Analyzer(Connection* conn); virtual ~Finger_Analyzer() {} @@ -20,9 +21,11 @@ public: { return new Finger_Analyzer(conn); } protected: - ContentLine_Analyzer* content_line_orig; - ContentLine_Analyzer* content_line_resp; + tcp::ContentLine_Analyzer* content_line_orig; + tcp::ContentLine_Analyzer* content_line_resp; int did_deliver; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/finger/Plugin.cc b/src/analyzer/protocols/finger/Plugin.cc index 98fd1f5985..603bbd004e 100644 --- a/src/analyzer/protocols/finger/Plugin.cc +++ b/src/analyzer/protocols/finger/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Finger) BRO_PLUGIN_DESCRIPTION("Finger Analyzer"); - BRO_PLUGIN_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("FINGER", finger::Finger_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/finger/events.bif b/src/analyzer/protocols/finger/events.bif index e69de29bb2..e495263b12 100644 --- a/src/analyzer/protocols/finger/events.bif +++ b/src/analyzer/protocols/finger/events.bif @@ -0,0 +1,38 @@ +## Generated for Finger requests. +## +## See `Wikipedia `__ for more +## information about the Finger protocol. +## +## c: The connection. +## +## full: True if verbose information is requested (``/W`` switch). +## +## username: The request's user name. +## +## hostname: The request's host name. +## +## .. bro:see:: finger_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event finger_request%(c: connection, full: bool, username: string, hostname: string%); + +## Generated for Finger replies. +## +## See `Wikipedia `__ for more +## information about the Finger protocol. +## +## c: The connection. +## +## reply_line: The reply as returned by the server +## +## .. bro:see:: finger_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event finger_reply%(c: connection, reply_line: string%); + diff --git a/src/analyzer/protocols/ftp/FTP.cc b/src/analyzer/protocols/ftp/FTP.cc index b371099c01..aed14b8de8 100644 --- a/src/analyzer/protocols/ftp/FTP.cc +++ b/src/analyzer/protocols/ftp/FTP.cc @@ -11,18 +11,22 @@ #include "analyzer/Manager.h" #include "analyzer/protocols/login/NVT.h" +#include "events.bif.h" + +using namespace analyzer::ftp; + FTP_Analyzer::FTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("FTP", conn) +: tcp::TCP_ApplicationAnalyzer("FTP", conn) { pending_reply = 0; - nvt_orig = new NVT_Analyzer(conn, true); + nvt_orig = new login::NVT_Analyzer(conn, true); nvt_orig->SetIsNULSensitive(true); nvt_orig->SetIsNULSensitive(true); nvt_orig->SetCRLFAsEOL(LF_as_EOL); nvt_orig->SetIsNULSensitive(LF_as_EOL); - nvt_resp = new NVT_Analyzer(conn, false); + nvt_resp = new login::NVT_Analyzer(conn, false); nvt_resp->SetIsNULSensitive(true); nvt_resp->SetIsNULSensitive(true); nvt_resp->SetCRLFAsEOL(LF_as_EOL); @@ -37,11 +41,11 @@ FTP_Analyzer::FTP_Analyzer(Connection* conn) void FTP_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( nvt_orig->HasPartialLine() && - (TCP()->OrigState() == TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) ) + (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) ) // ### should include the partial text Weird("partial_ftp_request"); } @@ -56,7 +60,7 @@ static uint32 get_reply_code(int len, const char* line) void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) ) return; diff --git a/src/analyzer/protocols/ftp/FTP.h b/src/analyzer/protocols/ftp/FTP.h index aaecfb98f1..9ebf38b2f7 100644 --- a/src/analyzer/protocols/ftp/FTP.h +++ b/src/analyzer/protocols/ftp/FTP.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/login/NVT.h" #include "analyzer/protocols/tcp/TCP.h" -class FTP_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ftp { + +class FTP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: FTP_Analyzer(Connection* conn); @@ -19,8 +21,8 @@ public: } protected: - NVT_Analyzer* nvt_orig; - NVT_Analyzer* nvt_resp; + login::NVT_Analyzer* nvt_orig; + login::NVT_Analyzer* nvt_resp; uint32 pending_reply; // code associated with multi-line reply, or 0 string auth_requested; // AUTH method requested }; @@ -47,4 +49,6 @@ protected: bool first_token; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ftp/Plugin.cc b/src/analyzer/protocols/ftp/Plugin.cc index 2a250b97ee..9a58990a63 100644 --- a/src/analyzer/protocols/ftp/Plugin.cc +++ b/src/analyzer/protocols/ftp/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(FTP) BRO_PLUGIN_DESCRIPTION("FTP Analyzer"); - BRO_PLUGIN_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("FTP", ftp::FTP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ftp/events.bif b/src/analyzer/protocols/ftp/events.bif index e69de29bb2..16faa417d3 100644 --- a/src/analyzer/protocols/ftp/events.bif +++ b/src/analyzer/protocols/ftp/events.bif @@ -0,0 +1,35 @@ +## Generated for client-side FTP commands. +## +## See `Wikipedia `__ for +## more information about the FTP protocol. +## +## c: The connection. +## +## command: The FTP command issued by the client (without any arguments). +## +## arg: The arguments going with the command. +## +## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port +## parse_ftp_epsv parse_ftp_pasv parse_ftp_port +event ftp_request%(c: connection, command: string, arg: string%); + +## Generated for server-side FTP replies. +## +## See `Wikipedia `__ for +## more information about the FTP protocol. +## +## c: The connection. +## +## code: The numerical response code the server responded with. +## +## msg: The textual message of the response. +## +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want +## to reassemble the pieces before processing the response any +## further. +## +## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port +## parse_ftp_epsv parse_ftp_pasv parse_ftp_port +event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%); + diff --git a/src/analyzer/protocols/gnutella/Gnutella.cc b/src/analyzer/protocols/gnutella/Gnutella.cc index bf2be877c0..a0d8812218 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.cc +++ b/src/analyzer/protocols/gnutella/Gnutella.cc @@ -12,6 +12,10 @@ #include "analyzer/protocols/pia/PIA.h" #include "analyzer/Manager.h" +#include "events.bif.h" + +using namespace analyzer::gnutella; + GnutellaMsgState::GnutellaMsgState() { buffer = ""; @@ -30,7 +34,7 @@ GnutellaMsgState::GnutellaMsgState() Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("GNUTELLA", conn) +: tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn) { state = 0; new_state = 0; @@ -50,7 +54,7 @@ Gnutella_Analyzer::~Gnutella_Analyzer() void Gnutella_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) { @@ -138,9 +142,9 @@ int Gnutella_Analyzer::IsHTTP(string header) if ( Parent()->IsAnalyzer("TCP") ) { // Replay buffered data. - PIA* pia = static_cast(Parent())->GetPIA(); + pia::PIA* pia = static_cast(Parent())->GetPIA(); if ( pia ) - static_cast(pia)->ReplayStreamBuffer(a); + static_cast(pia)->ReplayStreamBuffer(a); } Parent()->RemoveChildAnalyzer(this); @@ -328,7 +332,7 @@ void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig) void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); ms = orig ? orig_msg_state : resp_msg_state; ms->current_offset = 0; diff --git a/src/analyzer/protocols/gnutella/Gnutella.h b/src/analyzer/protocols/gnutella/Gnutella.h index 085d4fbf56..3a6e51d0c4 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.h +++ b/src/analyzer/protocols/gnutella/Gnutella.h @@ -11,6 +11,8 @@ #define GNUTELLA_MSG_SIZE 23 #define GNUTELLA_MAX_PAYLOAD 1024 +namespace analyzer { namespace gnutella { + class GnutellaMsgState { public: GnutellaMsgState (); @@ -32,7 +34,7 @@ public: }; -class Gnutella_Analyzer : public TCP_ApplicationAnalyzer { +class Gnutella_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Gnutella_Analyzer(Connection* conn); ~Gnutella_Analyzer(); @@ -67,4 +69,6 @@ private: GnutellaMsgState* ms; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/gnutella/Plugin.cc b/src/analyzer/protocols/gnutella/Plugin.cc index 6cc0b02771..eca9adb001 100644 --- a/src/analyzer/protocols/gnutella/Plugin.cc +++ b/src/analyzer/protocols/gnutella/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Gnutella) BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer"); - BRO_PLUGIN_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("GNUTELLA", gnutella::Gnutella_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gnutella/events.bif b/src/analyzer/protocols/gnutella/events.bif index e69de29bb2..9384f34e88 100644 --- a/src/analyzer/protocols/gnutella/events.bif +++ b/src/analyzer/protocols/gnutella/events.bif @@ -0,0 +1,88 @@ +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found +## +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_text_msg%(c: connection, orig: bool, headers: string%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, + ttl: count, hops: count, msg_len: count, + payload: string, payload_len: count, + trunc: bool, complete: bool%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## gnutella_not_establish gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_partial_binary_msg%(c: connection, orig: bool, + msg: string, len: count%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_establish%(c: connection%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_not_establish%(c: connection%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_http_notify%(c: connection%); diff --git a/src/analyzer/protocols/gtpv1/GTPv1.cc b/src/analyzer/protocols/gtpv1/GTPv1.cc index 86a2615690..0a94a28554 100644 --- a/src/analyzer/protocols/gtpv1/GTPv1.cc +++ b/src/analyzer/protocols/gtpv1/GTPv1.cc @@ -1,5 +1,11 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include "GTPv1.h" +#include "events.bif.h" + +using namespace analyzer::gtpv1; + GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) : Analyzer("GTPV1", conn) { diff --git a/src/analyzer/protocols/gtpv1/GTPv1.h b/src/analyzer/protocols/gtpv1/GTPv1.h index 2e4a405878..3fb7634534 100644 --- a/src/analyzer/protocols/gtpv1/GTPv1.h +++ b/src/analyzer/protocols/gtpv1/GTPv1.h @@ -3,6 +3,8 @@ #include "gtpv1_pac.h" +namespace analyzer { namespace gtpv1 { + class GTPv1_Analyzer : public analyzer::Analyzer { public: GTPv1_Analyzer(Connection* conn); @@ -21,4 +23,6 @@ protected: binpac::GTPv1::GTPv1_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/gtpv1/Plugin.cc b/src/analyzer/protocols/gtpv1/Plugin.cc index caa9755828..39233384dc 100644 --- a/src/analyzer/protocols/gtpv1/Plugin.cc +++ b/src/analyzer/protocols/gtpv1/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(GTPV1) BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer"); - BRO_PLUGIN_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("GTPV1", gtpv1::GTPv1_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gtpv1/events.bif b/src/analyzer/protocols/gtpv1/events.bif index e69de29bb2..b3bac93a2e 100644 --- a/src/analyzer/protocols/gtpv1/events.bif +++ b/src/analyzer/protocols/gtpv1/events.bif @@ -0,0 +1,74 @@ +## Generated for any GTP message with a GTPv1 header. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +event gtpv1_message%(c: connection, hdr: gtpv1_hdr%); + +## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload +## that includes a GTP header followed by an IPv4 or IPv6 packet. +## +## outer: The GTP outer tunnel connection. +## +## inner_gtp: The GTP header. +## +## inner_ip: The inner IP and transport layer packet headers. +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%); + +## Generated for GTPv1-C Create PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Create PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%); + +## Generated for GTPv1-C Update PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Update PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%); + +## Generated for GTPv1-C Delete PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Delete PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%); + diff --git a/src/analyzer/protocols/gtpv1/gtpv1.pac b/src/analyzer/protocols/gtpv1/gtpv1.pac index d155ecfd67..0305951cc5 100644 --- a/src/analyzer/protocols/gtpv1/gtpv1.pac +++ b/src/analyzer/protocols/gtpv1/gtpv1.pac @@ -1,6 +1,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer GTPv1 withcontext { connection: GTPv1_Conn; flow: GTPv1_Flow; diff --git a/src/analyzer/protocols/http/HTTP.cc b/src/analyzer/protocols/http/HTTP.cc index 98c8ad484e..899c7de01f 100644 --- a/src/analyzer/protocols/http/HTTP.cc +++ b/src/analyzer/protocols/http/HTTP.cc @@ -11,7 +11,11 @@ #include "NetVar.h" #include "HTTP.h" #include "Event.h" -#include "MIME.h" +#include "analyzer/protocols/mime/MIME.h" + +#include "events.bif.h" + +using namespace analyzer::http; const bool DEBUG_http = false; @@ -77,7 +81,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF) if ( end_of_data ) { // Multipart entities may have trailers - if ( content_type != CONTENT_TYPE_MULTIPART ) + if ( content_type != mime::CONTENT_TYPE_MULTIPART ) IllegalFormat("data trailing the end of entity"); return; } @@ -93,8 +97,8 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF) } // Entity body. - if ( content_type == CONTENT_TYPE_MULTIPART || - content_type == CONTENT_TYPE_MESSAGE ) + if ( content_type == mime::CONTENT_TYPE_MULTIPART || + content_type == mime::CONTENT_TYPE_MESSAGE ) DeliverBody(len, data, trailing_CRLF); else if ( chunked_transfer_state != NON_CHUNKED_TRANSFER ) @@ -177,14 +181,14 @@ void HTTP_Entity::DeliverBody(int len, const char* data, int trailing_CRLF) { if ( encoding == GZIP || encoding == DEFLATE ) { - ZIP_Analyzer::Method method = + zip::ZIP_Analyzer::Method method = encoding == GZIP ? - ZIP_Analyzer::GZIP : ZIP_Analyzer::DEFLATE; + zip::ZIP_Analyzer::GZIP : zip::ZIP_Analyzer::DEFLATE; if ( ! zip ) { // We don't care about the direction here. - zip = new ZIP_Analyzer( + zip = new zip::ZIP_Analyzer( http_message->MyHTTP_Analyzer()->Conn(), false, method); zip->SetOutputHandler(new UncompressedOutput(this)); @@ -291,12 +295,12 @@ void HTTP_Entity::SetPlainDelivery(int64_t length) // expect_data_length. } -void HTTP_Entity::SubmitHeader(MIME_Header* h) +void HTTP_Entity::SubmitHeader(mime::MIME_Header* h) { - if ( strcasecmp_n(h->get_name(), "content-length") == 0 ) + if ( mime::strcasecmp_n(h->get_name(), "content-length") == 0 ) { data_chunk_t vt = h->get_value_token(); - if ( ! is_null_data_chunk(vt) ) + if ( ! mime::is_null_data_chunk(vt) ) { int64_t n; if ( atoi_n(vt.length, vt.data, 0, 10, n) ) @@ -308,8 +312,8 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h) // Figure out content-length for HTTP 206 Partial Content response // that uses multipart/byteranges content-type. - else if ( strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() && - Parent()->MIMEContentType() == CONTENT_TYPE_MULTIPART && + else if ( mime::strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() && + Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART && http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 ) { data_chunk_t vt = h->get_value_token(); @@ -367,19 +371,19 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h) } } - else if ( strcasecmp_n(h->get_name(), "transfer-encoding") == 0 ) + else if ( mime::strcasecmp_n(h->get_name(), "transfer-encoding") == 0 ) { data_chunk_t vt = h->get_value_token(); - if ( strcasecmp_n(vt, "chunked") == 0 ) + if ( mime::strcasecmp_n(vt, "chunked") == 0 ) chunked_transfer_state = BEFORE_CHUNK; } - else if ( strcasecmp_n(h->get_name(), "content-encoding") == 0 ) + else if ( mime::strcasecmp_n(h->get_name(), "content-encoding") == 0 ) { data_chunk_t vt = h->get_value_token(); - if ( strcasecmp_n(vt, "gzip") == 0 ) + if ( mime::strcasecmp_n(vt, "gzip") == 0 ) encoding = GZIP; - if ( strcasecmp_n(vt, "deflate") == 0 ) + if ( mime::strcasecmp_n(vt, "deflate") == 0 ) encoding = DEFLATE; } @@ -413,8 +417,8 @@ void HTTP_Entity::SubmitAllHeaders() return; } - if ( content_type == CONTENT_TYPE_MULTIPART || - content_type == CONTENT_TYPE_MESSAGE ) + if ( content_type == mime::CONTENT_TYPE_MULTIPART || + content_type == mime::CONTENT_TYPE_MESSAGE ) { // Do nothing. // Make sure that we check for multiple/message contents first, @@ -463,7 +467,7 @@ void HTTP_Entity::SubmitAllHeaders() } HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer, - ContentLine_Analyzer* arg_cl, bool arg_is_orig, + tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig, int expect_body, int64_t init_header_length) : MIME_Message (arg_analyzer) { @@ -546,7 +550,7 @@ int HTTP_Message::Undelivered(int64_t len) return 0; } -void HTTP_Message::BeginEntity(MIME_Entity* entity) +void HTTP_Message::BeginEntity(mime::MIME_Entity* entity) { if ( DEBUG_http ) DEBUG_MSG("%.6f: begin entity (%d)\n", network_time, is_orig); @@ -562,7 +566,7 @@ void HTTP_Message::BeginEntity(MIME_Entity* entity) } } -void HTTP_Message::EndEntity(MIME_Entity* entity) +void HTTP_Message::EndEntity(mime::MIME_Entity* entity) { if ( DEBUG_http ) DEBUG_MSG("%.6f: end entity (%d)\n", network_time, is_orig); @@ -588,12 +592,12 @@ void HTTP_Message::EndEntity(MIME_Entity* entity) Done(); } -void HTTP_Message::SubmitHeader(MIME_Header* h) +void HTTP_Message::SubmitHeader(mime::MIME_Header* h) { MyHTTP_Analyzer()->HTTP_Header(is_orig, h); } -void HTTP_Message::SubmitAllHeaders(MIME_HeaderList& hlist) +void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist) { if ( http_all_headers ) { @@ -620,7 +624,7 @@ void HTTP_Message::SubmitAllHeaders(MIME_HeaderList& hlist) } } -void HTTP_Message::SubmitTrailingHeaders(MIME_HeaderList& /* hlist */) +void HTTP_Message::SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */) { // Do nothing for now. } @@ -664,15 +668,15 @@ void HTTP_Message::SubmitEvent(int event_type, const char* detail) const char* category = ""; switch ( event_type ) { - case MIME_EVENT_ILLEGAL_FORMAT: + case mime::MIME_EVENT_ILLEGAL_FORMAT: category = "illegal format"; break; - case MIME_EVENT_ILLEGAL_ENCODING: + case mime::MIME_EVENT_ILLEGAL_ENCODING: category = "illegal encoding"; break; - case MIME_EVENT_CONTENT_GAP: + case mime::MIME_EVENT_CONTENT_GAP: category = "content gap"; break; @@ -787,7 +791,7 @@ void HTTP_Message::Weird(const char* msg) } HTTP_Analyzer::HTTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("HTTP", conn) +: tcp::TCP_ApplicationAnalyzer("HTTP", conn) { num_requests = num_replies = 0; num_request_lines = num_reply_lines = 0; @@ -807,10 +811,10 @@ HTTP_Analyzer::HTTP_Analyzer(Connection* conn) reply_code = 0; reply_reason_phrase = 0; - content_line_orig = new ContentLine_Analyzer(conn, true); + content_line_orig = new tcp::ContentLine_Analyzer(conn, true); AddSupportAnalyzer(content_line_orig); - content_line_resp = new ContentLine_Analyzer(conn, false); + content_line_resp = new tcp::ContentLine_Analyzer(conn, false); content_line_resp->SetSkipPartial(true); AddSupportAnalyzer(content_line_resp); } @@ -828,7 +832,7 @@ void HTTP_Analyzer::Done() if ( IsFinished() ) return; - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); RequestMade(1, "message interrupted when connection done"); ReplyMade(1, "message interrupted when connection done"); @@ -850,7 +854,7 @@ void HTTP_Analyzer::Done() void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( TCP() && TCP()->IsPartial() ) return; @@ -858,7 +862,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) const char* line = reinterpret_cast(data); const char* end_of_line = line + len; - ContentLine_Analyzer* content_line = + tcp::ContentLine_Analyzer* content_line = is_orig ? content_line_orig : content_line_resp; if ( content_line->IsPlainDelivery() ) @@ -907,7 +911,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { if ( ! RequestExpected() ) HTTP_Event("crud_trailing_HTTP_request", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); else { // We do see HTTP requests with a @@ -986,20 +990,20 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); // DEBUG_MSG("Undelivered from %d: %d bytes\n", seq, length); HTTP_Message* msg = is_orig ? request_message : reply_message; - ContentLine_Analyzer* content_line = + tcp::ContentLine_Analyzer* content_line = is_orig ? content_line_orig : content_line_resp; if ( ! content_line->IsSkippedContents(seq, len) ) { if ( msg ) - msg->SubmitEvent(MIME_EVENT_CONTENT_GAP, + msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP, fmt("seq=%d, len=%d", seq, len)); } @@ -1030,7 +1034,7 @@ void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig) void HTTP_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); // DEBUG_MSG("%.6f eof\n", network_time); @@ -1042,7 +1046,7 @@ void HTTP_Analyzer::EndpointEOF(bool is_orig) void HTTP_Analyzer::ConnectionFinished(int half_finished) { - TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); + tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); // DEBUG_MSG("%.6f connection finished\n", network_time); RequestMade(1, "message ends as connection is finished"); @@ -1051,7 +1055,7 @@ void HTTP_Analyzer::ConnectionFinished(int half_finished) void HTTP_Analyzer::ConnectionReset() { - TCP_ApplicationAnalyzer::ConnectionReset(); + tcp::TCP_ApplicationAnalyzer::ConnectionReset(); RequestMade(1, "message interrupted by RST"); ReplyMade(1, "message interrupted by RST"); @@ -1059,7 +1063,7 @@ void HTTP_Analyzer::ConnectionReset() void HTTP_Analyzer::PacketWithRST() { - TCP_ApplicationAnalyzer::PacketWithRST(); + tcp::TCP_ApplicationAnalyzer::PacketWithRST(); RequestMade(1, "message interrupted by RST"); ReplyMade(1, "message interrupted by RST"); @@ -1203,10 +1207,10 @@ int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line) version_end = version_start + 3; if ( skip_whitespace(version_end, end_of_line) != end_of_line ) HTTP_Event("crud after HTTP version is ignored", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); } else - HTTP_Event("bad_HTTP_version", new_string_val(line, end_of_line)); + HTTP_Event("bad_HTTP_version", mime::new_string_val(line, end_of_line)); } // NormalizeURI(line, end_of_uri); @@ -1230,7 +1234,7 @@ double HTTP_Analyzer::HTTP_Version(int len, const char* data) } else { - HTTP_Event("bad_HTTP_version", new_string_val(len, data)); + HTTP_Event("bad_HTTP_version", mime::new_string_val(len, data)); return 0; } } @@ -1409,20 +1413,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line) // ##TODO: some server replies with an HTML document // without a status line and a MIME header, when the // request is malformed. - HTTP_Event("bad_HTTP_reply", new_string_val(line, end_of_line)); + HTTP_Event("bad_HTTP_reply", mime::new_string_val(line, end_of_line)); return 0; } SetVersion(reply_version, HTTP_Version(end_of_line - rest, rest)); for ( ; rest < end_of_line; ++rest ) - if ( is_lws(*rest) ) + if ( mime::is_lws(*rest) ) break; if ( rest >= end_of_line ) { HTTP_Event("HTTP_reply_code_missing", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); return 0; } @@ -1431,20 +1435,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line) if ( rest + 3 > end_of_line ) { HTTP_Event("HTTP_reply_code_missing", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); return 0; } reply_code = HTTP_ReplyCode(rest); for ( rest += 3; rest < end_of_line; ++rest ) - if ( is_lws(*rest) ) + if ( mime::is_lws(*rest) ) break; if ( rest >= end_of_line ) { HTTP_Event("HTTP_reply_reason_phrase_missing", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); // Tolerate missing reason phrase? return 1; } @@ -1491,7 +1495,7 @@ int HTTP_Analyzer::ExpectReplyMessageBody() return HTTP_BODY_EXPECTED; } -void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h) +void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h) { #if 0 // ### Only call ParseVersion if we're tracking versions: @@ -1508,16 +1512,16 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h) // side, and if seen assume the connection to be persistent. // This seems fairly safe - at worst, the client does indeed // send additional requests, and the server ignores them. - if ( is_orig && strcasecmp_n(h->get_name(), "connection") == 0 ) + if ( is_orig && mime::strcasecmp_n(h->get_name(), "connection") == 0 ) { - if ( strcasecmp_n(h->get_value_token(), "keep-alive") == 0 ) + if ( mime::strcasecmp_n(h->get_value_token(), "keep-alive") == 0 ) keep_alive = 1; } if ( ! is_orig && - strcasecmp_n(h->get_name(), "connection") == 0 ) + mime::strcasecmp_n(h->get_name(), "connection") == 0 ) { - if ( strcasecmp_n(h->get_value_token(), "close") == 0 ) + if ( mime::strcasecmp_n(h->get_value_token(), "close") == 0 ) connection_close = 1; } @@ -1540,8 +1544,8 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h) val_list* vl = new val_list(); vl->append(BuildConnVal()); vl->append(new Val(is_orig, TYPE_BOOL)); - vl->append(new_string_val(h->get_name())->ToUpper()); - vl->append(new_string_val(h->get_value())); + vl->append(mime::new_string_val(h->get_name())->ToUpper()); + vl->append(mime::new_string_val(h->get_value())); if ( DEBUG_http ) DEBUG_MSG("%.6f http_header\n", network_time); ConnectionEvent(http_header, vl); @@ -1570,7 +1574,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, while ( len > 0 ) { // Skip white space. - while ( len && is_lws(*data) ) + while ( len && mime::is_lws(*data) ) { ++data; --len; @@ -1583,7 +1587,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, // Find end of comment. const char* data_start = data; const char* eoc = - data + MIME_skip_lws_comments(len, data); + data + mime::MIME_skip_lws_comments(len, data); // Split into parts. // (This may get confused by nested comments, @@ -1593,7 +1597,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, while ( 1 ) { // Eat spaces. - while ( data < eoc && is_lws(*data) ) + while ( data < eoc && mime::is_lws(*data) ) ++data; // Find end of token. @@ -1606,7 +1610,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, break; // Delete spaces at end of token. - for ( ; eot > data && is_lws(*(eot-1)); --eot ) + for ( ; eot > data && mime::is_lws(*(eot-1)); --eot ) ; if ( data != eot && software_version_found ) @@ -1619,7 +1623,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, continue; } - offset = MIME_get_slash_token_pair(len, data, + offset = mime::MIME_get_slash_token_pair(len, data, &product, &product_version); if ( offset < 0 ) { @@ -1627,10 +1631,10 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, // so we do not complain in the final version if ( num_version == 0 ) HTTP_Event("bad_HTTP_version", - new_string_val(len, data)); + mime::new_string_val(len, data)); // Try to simply skip next token. - offset = MIME_get_token(len, data, &product); + offset = mime::MIME_get_token(len, data, &product); if ( offset < 0 ) break; @@ -1694,7 +1698,7 @@ void HTTP_Analyzer::HTTP_MessageDone(int is_orig, HTTP_Message* /* message */) ReplyMade(0, "message ends normally"); } -void HTTP_Analyzer::InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, +void HTTP_Analyzer::InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, int expect_body, int64_t init_header_length) { if ( message ) @@ -1718,24 +1722,24 @@ void HTTP_Analyzer::SkipEntityData(int is_orig) msg->SkipEntityData(); } -int is_reserved_URI_char(unsigned char ch) +int analyzer::http::is_reserved_URI_char(unsigned char ch) { // see RFC 2396 (definition of URI) return strchr(";/?:@&=+$,", ch) != 0; } -int is_unreserved_URI_char(unsigned char ch) +int analyzer::http::is_unreserved_URI_char(unsigned char ch) { // see RFC 2396 (definition of URI) return isalnum(ch) || strchr("-_.!~*\'()", ch) != 0; } -void escape_URI_char(unsigned char ch, unsigned char*& p) +void analyzer::http::escape_URI_char(unsigned char ch, unsigned char*& p) { *p++ = '%'; *p++ = encode_hex((ch >> 4) & 0xf); *p++ = encode_hex(ch & 0xf); } -BroString* unescape_URI(const u_char* line, const u_char* line_end, +BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_end, analyzer::Analyzer* analyzer) { byte_vec decoded_URI = new u_char[line_end - line + 1]; diff --git a/src/analyzer/protocols/http/HTTP.h b/src/analyzer/protocols/http/HTTP.h index dae8fc1dcf..49235ae173 100644 --- a/src/analyzer/protocols/http/HTTP.h +++ b/src/analyzer/protocols/http/HTTP.h @@ -6,13 +6,15 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" #include "analyzer/protocols/zip/ZIP.h" -#include "MIME.h" +#include "analyzer/protocols/mime/MIME.h" #include "binpac_bro.h" #include "IPAddr.h" #include "events.bif.h" #include "HTTP.h" +namespace analyzer { namespace http { + enum CHUNKED_TRANSFER_STATE { NON_CHUNKED_TRANSFER, BEFORE_CHUNK, @@ -27,7 +29,7 @@ class HTTP_Entity; class HTTP_Message; class HTTP_Analyzer; -class HTTP_Entity : public MIME_Entity { +class HTTP_Entity : public mime::MIME_Entity { public: HTTP_Entity(HTTP_Message* msg, MIME_Entity* parent_entity, int expect_body); @@ -57,7 +59,7 @@ protected: int64_t header_length; int deliver_body; enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding; - ZIP_Analyzer* zip; + zip::ZIP_Analyzer* zip; MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); } @@ -68,7 +70,7 @@ protected: void SetPlainDelivery(int64_t length); - void SubmitHeader(MIME_Header* h); + void SubmitHeader(mime::MIME_Header* h); void SubmitAllHeaders(); }; @@ -89,9 +91,9 @@ enum { // HTTP_Message::EndEntity -> Message::Done // HTTP_MessageDone -> {Request,Reply}Made -class HTTP_Message : public MIME_Message { +class HTTP_Message : public mime::MIME_Message { public: - HTTP_Message(HTTP_Analyzer* analyzer, ContentLine_Analyzer* cl, + HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl, bool is_orig, int expect_body, int64_t init_header_length); ~HTTP_Message(); void Done(const int interrupted, const char* msg); @@ -99,16 +101,16 @@ public: int Undelivered(int64_t len); - void BeginEntity(MIME_Entity* /* entity */); - void EndEntity(MIME_Entity* entity); - void SubmitHeader(MIME_Header* h); - void SubmitAllHeaders(MIME_HeaderList& /* hlist */); + void BeginEntity(mime::MIME_Entity* /* entity */); + void EndEntity(mime::MIME_Entity* entity); + void SubmitHeader(mime::MIME_Header* h); + void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */); void SubmitData(int len, const char* buf); int RequestBuffer(int* plen, char** pbuf); void SubmitAllData(); void SubmitEvent(int event_type, const char* detail); - void SubmitTrailingHeaders(MIME_HeaderList& /* hlist */); + void SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */); void SetPlainDelivery(int64_t length); void SkipEntityData(); @@ -120,7 +122,7 @@ public: protected: HTTP_Analyzer* analyzer; - ContentLine_Analyzer* content_line; + tcp::ContentLine_Analyzer* content_line; bool is_orig; vector buffers; @@ -148,14 +150,14 @@ protected: Val* BuildMessageStat(const int interrupted, const char* msg); }; -class HTTP_Analyzer : public TCP_ApplicationAnalyzer { +class HTTP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: HTTP_Analyzer(Connection* conn); ~HTTP_Analyzer(); - void Undelivered(TCP_Endpoint* sender, int seq, int len); + void Undelivered(tcp::TCP_Endpoint* sender, int seq, int len); - void HTTP_Header(int is_orig, MIME_Header* h); + void HTTP_Header(int is_orig, mime::MIME_Header* h); void HTTP_EntityData(int is_orig, const BroString* entity_data); void HTTP_MessageDone(int is_orig, HTTP_Message* message); void HTTP_Event(const char* category, const char* detail); @@ -171,7 +173,7 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void Undelivered(int seq, int len, bool orig); - // Overriden from TCP_ApplicationAnalyzer + // Overriden from tcp::TCP_ApplicationAnalyzer virtual void EndpointEOF(bool is_orig); virtual void ConnectionFinished(int half_finished); virtual void ConnectionReset(); @@ -192,7 +194,7 @@ protected: int HTTP_RequestLine(const char* line, const char* end_of_line); int HTTP_ReplyLine(const char* line, const char* end_of_line); - void InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, + void InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, int expect_body, int64_t init_header_length); const char* PrefixMatch(const char* line, const char* end_of_line, @@ -244,8 +246,8 @@ protected: int reply_code; Val* reply_reason_phrase; - ContentLine_Analyzer* content_line_orig; - ContentLine_Analyzer* content_line_resp; + tcp::ContentLine_Analyzer* content_line_orig; + tcp::ContentLine_Analyzer* content_line_resp; HTTP_Message* request_message; HTTP_Message* reply_message; @@ -257,4 +259,6 @@ extern void escape_URI_char(unsigned char ch, unsigned char*& p); extern BroString* unescape_URI(const u_char* line, const u_char* line_end, analyzer::Analyzer* analyzer); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/http/Plugin.cc b/src/analyzer/protocols/http/Plugin.cc index 5dab5c3c18..a0e6e28f43 100644 --- a/src/analyzer/protocols/http/Plugin.cc +++ b/src/analyzer/protocols/http/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(HTTP) BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); - BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("HTTP", http::HTTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/http/functions.bif b/src/analyzer/protocols/http/functions.bif index 0e1c63f721..eb9caf2a9a 100644 --- a/src/analyzer/protocols/http/functions.bif +++ b/src/analyzer/protocols/http/functions.bif @@ -20,7 +20,7 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any if ( ha ) { if ( ha->IsAnalyzer("HTTP") ) - static_cast(ha)->SkipEntityData(is_orig); + static_cast(ha)->SkipEntityData(is_orig); else reporter->Error("non-HTTP analyzer associated with connection record"); } @@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string const u_char* line = URI->Bytes(); const u_char* const line_end = line + URI->Len(); - return new StringVal(unescape_URI(line, line_end, 0)); + return new StringVal(analyzer::http::unescape_URI(line, line_end, 0)); %} diff --git a/src/analyzer/protocols/icmp/ICMP.cc b/src/analyzer/protocols/icmp/ICMP.cc index 538d25dfc3..732727d709 100644 --- a/src/analyzer/protocols/icmp/ICMP.cc +++ b/src/analyzer/protocols/icmp/ICMP.cc @@ -10,8 +10,12 @@ #include "ICMP.h" #include "Conn.h" +#include "events.bif.h" + #include +using namespace analyzer::icmp; + ICMP_Analyzer::ICMP_Analyzer(Connection* c) : TransportLayerAnalyzer("ICMP", c) { @@ -828,7 +832,7 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data) return vv; } -int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) +int analyzer::icmp::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) { is_one_way = false; @@ -855,7 +859,7 @@ int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) } } -int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) +int analyzer::icmp::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) { is_one_way = false; diff --git a/src/analyzer/protocols/icmp/ICMP.h b/src/analyzer/protocols/icmp/ICMP.h index e798bd2c9b..6a9ba3282c 100644 --- a/src/analyzer/protocols/icmp/ICMP.h +++ b/src/analyzer/protocols/icmp/ICMP.h @@ -6,6 +6,8 @@ #include "RuleMatcher.h" #include "analyzer/Analyzer.h" +namespace analyzer { namespace icmp { + typedef enum { ICMP_INACTIVE, // no packet seen ICMP_ACTIVE, // packets seen @@ -92,4 +94,6 @@ private: extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way); extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/icmp/Plugin.cc b/src/analyzer/protocols/icmp/Plugin.cc index 517b243e24..0d3a90e168 100644 --- a/src/analyzer/protocols/icmp/Plugin.cc +++ b/src/analyzer/protocols/icmp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(ICMP) BRO_PLUGIN_DESCRIPTION("ICMP Analyzer"); - BRO_PLUGIN_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("ICMP", icmp::ICMP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/icmp/events.bif b/src/analyzer/protocols/icmp/events.bif index e69de29bb2..c471ca0ee6 100644 --- a/src/analyzer/protocols/icmp/events.bif +++ b/src/analyzer/protocols/icmp/events.bif @@ -0,0 +1,300 @@ +## Generated for all ICMP messages that are not handled separately with +## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages +## directly with dedicated events. This event acts as a fallback for those it +## doesn't. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## +## .. bro:see:: icmp_error_message +event icmp_sent%(c: connection, icmp: icmp_conn%); + +## Generated for ICMP *echo request* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## +## id: The *echo request* identifier. +## +## seq: The *echo request* sequence number. +## +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. +## +## .. bro:see:: icmp_echo_reply +event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); + +## Generated for ICMP *echo reply* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## id: The *echo reply* identifier. +## +## seq: The *echo reply* sequence number. +## +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. +## +## .. bro:see:: icmp_echo_request +event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); + +## Generated for all ICMPv6 error messages that are not handled +## separately with dedicated events. Bro's ICMP analyzer handles a number +## of ICMP error messages directly with dedicated events. This event acts +## as a fallback for those it doesn't. +## +## See `Wikipedia +## `__ for more +## information about the ICMPv6 protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## +## code: The ICMP code of the error message. +## +## context: A record with specifics of the original packet that the message +## refers to. +## +## .. bro:see:: icmp_unreachable icmp_packet_too_big +## icmp_time_exceeded icmp_parameter_problem +event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMP *destination unreachable* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *unreachable* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *unreachable* +## includes only a partial IP header for some reason, no +## fields of *context* will be filled out. +## +## .. bro:see:: icmp_error_message icmp_packet_too_big +## icmp_time_exceeded icmp_parameter_problem +event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMPv6 *packet too big* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMPv6 protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *too big* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Too big* messages should include the original IP header +## from the packet that triggered them, and Bro parses that into +## the *context* structure. Note that if the *too big* includes only +## a partial IP header for some reason, no fields of *context* will +## be filled out. +## +## .. bro:see:: icmp_error_message icmp_unreachable +## icmp_time_exceeded icmp_parameter_problem +event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMP *time exceeded* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *exceeded* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *exceeded* includes +## only a partial IP header for some reason, no fields of *context* +## will be filled out. +## +## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big +## icmp_parameter_problem +event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMPv6 *parameter problem* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMPv6 protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *parameter problem* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Parameter problem* messages should include the original +## IP header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *parameter problem* +## includes only a partial IP header for some reason, no fields +## of *context* will be filled out. +## +## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big +## icmp_time_exceeded +event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMP *router solicitation* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_advertisement +## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect +event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%); + +## Generated for ICMP *router advertisement* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## cur_hop_limit: The default value that should be placed in Hop Count field +## for outgoing IP packets. +## +## managed: Managed address configuration flag, :rfc:`4861`. +## +## other: Other stateful configuration flag, :rfc:`4861`. +## +## home_agent: Mobile IPv6 home agent flag, :rfc:`3775`. +## +## pref: Router selection preferences, :rfc:`4191`. +## +## proxy: Neighbor discovery proxy flag, :rfc:`4389`. +## +## rsv: Remaining two reserved bits of router advertisement flags. +## +## router_lifetime: How long this router should be used as a default router. +## +## reachable_time: How long a neighbor should be considered reachable. +## +## retrans_timer: How long a host should wait before retransmitting. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation +## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect +event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); + +## Generated for ICMP *neighbor solicitation* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## tgt: The IP address of the target of the solicitation. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## icmp_neighbor_advertisement icmp_redirect +event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%); + +## Generated for ICMP *neighbor advertisement* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## router: Flag indicating the sender is a router. +## +## solicited: Flag indicating advertisement is in response to a solicitation. +## +## override: Flag indicating advertisement should override existing caches. +## +## tgt: the Target Address in the soliciting message or the address whose +## link-layer address has changed for unsolicited adverts. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## icmp_neighbor_solicitation icmp_redirect +event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); + +## Generated for ICMP *redirect* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## tgt: The address that is supposed to be a better first hop to use for +## ICMP Destination Address. +## +## dest: The address of the destination which is redirected to the target. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## icmp_neighbor_solicitation icmp_neighbor_advertisement +event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%); + diff --git a/src/analyzer/protocols/ident/Ident.cc b/src/analyzer/protocols/ident/Ident.cc index e9ba679b0b..8e25775af8 100644 --- a/src/analyzer/protocols/ident/Ident.cc +++ b/src/analyzer/protocols/ident/Ident.cc @@ -8,13 +8,17 @@ #include "Ident.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::ident; + Ident_Analyzer::Ident_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("IDENT", conn) +: tcp::TCP_ApplicationAnalyzer("IDENT", conn) { did_bad_reply = did_deliver = 0; - orig_ident = new ContentLine_Analyzer(conn, true); - resp_ident = new ContentLine_Analyzer(conn, false); + orig_ident = new tcp::ContentLine_Analyzer(conn, true); + resp_ident = new tcp::ContentLine_Analyzer(conn, false); orig_ident->SetIsNULSensitive(true); resp_ident->SetIsNULSensitive(true); @@ -25,29 +29,29 @@ Ident_Analyzer::Ident_Analyzer(Connection* conn) void Ident_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( TCP() ) if ( (! did_deliver || orig_ident->HasPartialLine()) && - (TCP()->OrigState() == TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) && - TCP()->OrigPrevState() != TCP_ENDPOINT_PARTIAL && - TCP()->RespPrevState() != TCP_ENDPOINT_PARTIAL && - TCP()->OrigPrevState() != TCP_ENDPOINT_INACTIVE && - TCP()->RespPrevState() != TCP_ENDPOINT_INACTIVE ) + (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) && + TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_PARTIAL && + TCP()->RespPrevState() != tcp::TCP_ENDPOINT_PARTIAL && + TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_INACTIVE && + TCP()->RespPrevState() != tcp::TCP_ENDPOINT_INACTIVE ) Weird("partial_ident_request"); } void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); int remote_port, local_port; const char* line = (const char*) data; const char* orig_line = line; const char* end_of_line = line + length; - TCP_Endpoint* s = 0; + tcp::TCP_Endpoint* s = 0; if ( TCP() ) s = is_orig ? TCP()->Orig() : TCP()->Resp(); @@ -60,9 +64,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) line = ParsePair(line, end_of_line, remote_port, local_port); if ( ! line ) { - if ( s && s->state == TCP_ENDPOINT_CLOSED && - (s->prev_state == TCP_ENDPOINT_INACTIVE || - s->prev_state == TCP_ENDPOINT_PARTIAL) ) + if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED && + (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE || + s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) ) // not surprising the request is mangled. return; @@ -95,9 +99,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) if ( ! line || line == end_of_line || line[0] != ':' ) { - if ( s && s->state == TCP_ENDPOINT_CLOSED && - (s->prev_state == TCP_ENDPOINT_INACTIVE || - s->prev_state == TCP_ENDPOINT_PARTIAL) ) + if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED && + (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE || + s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) ) // not surprising the request is mangled. return; diff --git a/src/analyzer/protocols/ident/Ident.h b/src/analyzer/protocols/ident/Ident.h index 95383429ce..473d201e65 100644 --- a/src/analyzer/protocols/ident/Ident.h +++ b/src/analyzer/protocols/ident/Ident.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" -class Ident_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ident { + +class Ident_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Ident_Analyzer(Connection* conn); virtual void Done(); @@ -25,11 +27,13 @@ protected: void BadRequest(int length, const char* line); void BadReply(int length, const char* line); - ContentLine_Analyzer* orig_ident; - ContentLine_Analyzer* resp_ident; + tcp::ContentLine_Analyzer* orig_ident; + tcp::ContentLine_Analyzer* resp_ident; unsigned int did_deliver:1; unsigned int did_bad_reply:1; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ident/Plugin.cc b/src/analyzer/protocols/ident/Plugin.cc index 2c7ea208cd..d0abef8280 100644 --- a/src/analyzer/protocols/ident/Plugin.cc +++ b/src/analyzer/protocols/ident/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Ident) BRO_PLUGIN_DESCRIPTION("Ident Analyzer"); - BRO_PLUGIN_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("IDENT", ident::Ident_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ident/events.bif b/src/analyzer/protocols/ident/events.bif index e69de29bb2..96a7f37a31 100644 --- a/src/analyzer/protocols/ident/events.bif +++ b/src/analyzer/protocols/ident/events.bif @@ -0,0 +1,63 @@ +## Generated for Ident requests. +## +## See `Wikipedia `__ for more +## information about the Ident protocol. +## +## c: The connection. +## +## lport: The request's local port. +## +## rport: The request's remote port. +## +## .. bro:see:: ident_error ident_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ident_request%(c: connection, lport: port, rport: port%); + +## Generated for Ident replies. +## +## See `Wikipedia `__ for more +## information about the Ident protocol. +## +## c: The connection. +## +## lport: The corresponding request's local port. +## +## rport: The corresponding request's remote port. +## +## user_id: The user id returned by the reply. +## +## system: The operating system returned by the reply. +## +## .. bro:see:: ident_error ident_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%); + +## Generated for Ident error replies. +## +## See `Wikipedia `__ for more +## information about the Ident protocol. +## +## c: The connection. +## +## lport: The corresponding request's local port. +## +## rport: The corresponding request's remote port. +## +## line: The error description returned by the reply. +## +## .. bro:see:: ident_reply ident_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ident_error%(c: connection, lport: port, rport: port, line: string%); + diff --git a/src/analyzer/protocols/interconn/InterConn.cc b/src/analyzer/protocols/interconn/InterConn.cc index 70860a6532..58dc6c2bf0 100644 --- a/src/analyzer/protocols/interconn/InterConn.cc +++ b/src/analyzer/protocols/interconn/InterConn.cc @@ -7,7 +7,11 @@ #include "Net.h" #include "analyzer/protocols/tcp/TCP.h" -InterConnEndpoint::InterConnEndpoint(TCP_Endpoint* e) +#include "events.bif.h" + +using namespace analyzer::interconn; + +InterConnEndpoint::InterConnEndpoint(tcp::TCP_Endpoint* e) { endp = e; max_top_seq = 0; @@ -30,7 +34,7 @@ int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen, if ( len <= 0 ) return 0; - if ( endp->state == TCP_ENDPOINT_PARTIAL ) + if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL ) is_partial = 1; int ack = endp->AckSeq() - endp->StartSeq(); @@ -153,7 +157,7 @@ int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const } InterConn_Analyzer::InterConn_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("INTERCONN", c) +: tcp::TCP_ApplicationAnalyzer("INTERCONN", c) { orig_endp = resp_endp = 0; orig_stream_pos = resp_stream_pos = 1; @@ -172,7 +176,7 @@ InterConn_Analyzer::~InterConn_Analyzer() void InterConn_Analyzer::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); assert(TCP()); orig_endp = new InterConnEndpoint(TCP()->Orig()); @@ -182,7 +186,7 @@ void InterConn_Analyzer::Init() void InterConn_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); if ( is_orig ) @@ -193,7 +197,7 @@ void InterConn_Analyzer::DeliverPacket(int len, const u_char* data, void InterConn_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( is_orig ) { @@ -218,7 +222,7 @@ void InterConn_Analyzer::Done() RemoveEvent(); } - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); } void InterConn_Analyzer::StatTimer(double t, int is_expire) diff --git a/src/analyzer/protocols/interconn/InterConn.h b/src/analyzer/protocols/interconn/InterConn.h index 9ee73d2ae8..c51113c156 100644 --- a/src/analyzer/protocols/interconn/InterConn.h +++ b/src/analyzer/protocols/interconn/InterConn.h @@ -7,9 +7,11 @@ #include "Timer.h" #include "NetVar.h" +namespace analyzer { namespace interconn { + class InterConnEndpoint : public BroObj { public: - InterConnEndpoint(TCP_Endpoint* e); + InterConnEndpoint(tcp::TCP_Endpoint* e); int DataSent(double t, int seq, int len, int caplen, const u_char* data, const IP_Hdr* ip, const struct tcphdr* tp); @@ -21,7 +23,7 @@ protected: int IsPotentialKeystrokePacket(int len) const; int IsNormalKeystrokeInterarrival(double t) const; - TCP_Endpoint* endp; + tcp::TCP_Endpoint* endp; double last_keystroke_time; int max_top_seq; uint32 num_pkts; @@ -38,7 +40,7 @@ protected: }; -class InterConn_Analyzer : public TCP_ApplicationAnalyzer { +class InterConn_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: InterConn_Analyzer(Connection* c); ~InterConn_Analyzer(); @@ -81,4 +83,6 @@ protected: InterConn_Analyzer* analyzer; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/interconn/Plugin.cc b/src/analyzer/protocols/interconn/Plugin.cc index ba80cf52af..cb4ac076af 100644 --- a/src/analyzer/protocols/interconn/Plugin.cc +++ b/src/analyzer/protocols/interconn/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(InterConn) BRO_PLUGIN_DESCRIPTION("InterConn Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("INTERCONN", interconn::InterConn_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/interconn/events.bif b/src/analyzer/protocols/interconn/events.bif index e69de29bb2..6e859da668 100644 --- a/src/analyzer/protocols/interconn/events.bif +++ b/src/analyzer/protocols/interconn/events.bif @@ -0,0 +1,8 @@ +# ##### Deprecated events. Proposed for removal. + +## Deprecated. Will be removed. +event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%); + +## Deprecated. Will be removed. +event interconn_remove_conn%(c: connection%); + diff --git a/src/analyzer/protocols/irc/IRC.cc b/src/analyzer/protocols/irc/IRC.cc index 2411efbabb..7ac06a708f 100644 --- a/src/analyzer/protocols/irc/IRC.cc +++ b/src/analyzer/protocols/irc/IRC.cc @@ -6,11 +6,14 @@ #include "NetVar.h" #include "Event.h" #include "analyzer/protocols/zip/ZIP.h" - #include "analyzer/Manager.h" +#include "events.bif.h" + +using namespace analyzer::irc; + IRC_Analyzer::IRC_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("IRC", conn) +: tcp::TCP_ApplicationAnalyzer("IRC", conn) { invalid_msg_count = 0; invalid_msg_max_count = 20; @@ -18,18 +21,18 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn) resp_status = WAIT_FOR_REGISTRATION; orig_zip_status = NO_ZIP; resp_zip_status = NO_ZIP; - AddSupportAnalyzer(new ContentLine_Analyzer(conn, true)); - AddSupportAnalyzer(new ContentLine_Analyzer(conn, false)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false)); } void IRC_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); } void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); // check line size if ( length > 512 ) @@ -1158,8 +1161,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { orig_zip_status = ZIP_LOADED; resp_zip_status = ZIP_LOADED; - AddSupportAnalyzer(new ZIP_Analyzer(Conn(), true)); - AddSupportAnalyzer(new ZIP_Analyzer(Conn(), false)); + AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), true)); + AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), false)); } return; diff --git a/src/analyzer/protocols/irc/IRC.h b/src/analyzer/protocols/irc/IRC.h index 17b91f51e5..d5fa3b57e5 100644 --- a/src/analyzer/protocols/irc/IRC.h +++ b/src/analyzer/protocols/irc/IRC.h @@ -4,10 +4,12 @@ #define irc_h #include "analyzer/protocols/tcp/TCP.h" +namespace analyzer { namespace irc { + /** * \brief Main class for analyzing IRC traffic. */ -class IRC_Analyzer : public TCP_ApplicationAnalyzer { +class IRC_Analyzer : public tcp::TCP_ApplicationAnalyzer { enum { WAIT_FOR_REGISTRATION, REGISTERED, }; enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, }; public: @@ -60,4 +62,6 @@ private: }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/irc/Plugin.cc b/src/analyzer/protocols/irc/Plugin.cc index bb6ade5f1f..72b89fda0e 100644 --- a/src/analyzer/protocols/irc/Plugin.cc +++ b/src/analyzer/protocols/irc/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(IRC) BRO_PLUGIN_DESCRIPTION("IRC Analyzer"); - BRO_PLUGIN_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("IRC", irc::IRC_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/irc/events.bif b/src/analyzer/protocols/irc/events.bif index e69de29bb2..4e69b9ad33 100644 --- a/src/analyzer/protocols/irc/events.bif +++ b/src/analyzer/protocols/irc/events.bif @@ -0,0 +1,799 @@ + +## Generated for all client-side IRC commands. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: Always true. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## command: The command. +## +## arguments: The arguments for the command. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +## +## .. note:: This event is generated only for messages that originate +## at the client-side. Commands coming in from remote trigger +## the :bro:id:`irc_message` event instead. +event irc_request%(c: connection, is_orig: bool, prefix: string, + command: string, arguments: string%); + +## Generated for all IRC replies. IRC replies are sent in response to a +## request and come with a reply code. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the reply. IRC uses the prefix to +## indicate the true origin of a message. +## +## code: The reply code, as specified by the protocol. +## +## params: The reply's parameters. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_reply%(c: connection, is_orig: bool, prefix: string, + code: count, params: string%); + +## Generated for IRC commands forwarded from the server to the client. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## command: The command. +## +## message: TODO. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +## +## .. note:: +## +## This event is generated only for messages that are forwarded by the server +## to the client. Commands coming from client trigger the +## :bro:id:`irc_request` event instead. +event irc_message%(c: connection, is_orig: bool, prefix: string, + command: string, message: string%); + +## Generated for IRC messages of type *quit*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname coming with the message. +## +## message: The text included with the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%); + +## Generated for IRC messages of type *privmsg*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## source: The source of the private communication. +## +## target: The target of the private communication. +## +## message: The text of communication. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_privmsg_message%(c: connection, is_orig: bool, source: string, + target: string, message: string%); + +## Generated for IRC messages of type *notice*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## source: The source of the private communication. +## +## target: The target of the private communication. +## +## message: The text of communication. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_notice_message%(c: connection, is_orig: bool, source: string, + target: string, message: string%); + +## Generated for IRC messages of type *squery*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## source: The source of the private communication. +## +## target: The target of the private communication. +## +## message: The text of communication. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_squery_message%(c: connection, is_orig: bool, source: string, + target: string, message: string%); + +## Generated for IRC messages of type *join*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## info_list: The user information coming with the command. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%); + +## Generated for IRC messages of type *part*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname coming with the message. +## +## chans: The set of channels affected. +## +## message: The text coming with the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_password_message +event irc_part_message%(c: connection, is_orig: bool, nick: string, + chans: string_set, message: string%); + +## Generated for IRC messages of type *nick*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## who: The user changing its nickname. +## +## newnick: The new nickname. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%); + +## Generated when a server rejects an IRC nickname. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_invalid_nick%(c: connection, is_orig: bool%); + +## Generated for an IRC reply of type *luserclient*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## users: The number of users as returned in the reply. +## +## services: The number of services as returned in the reply. +## +## servers: The number of servers as returned in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_network_info%(c: connection, is_orig: bool, users: count, + services: count, servers: count%); + +## Generated for an IRC reply of type *luserme*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## users: The number of users as returned in the reply. +## +## services: The number of services as returned in the reply. +## +## servers: The number of servers as returned in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_server_info%(c: connection, is_orig: bool, users: count, + services: count, servers: count%); + +## Generated for an IRC reply of type *luserchannels*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## chans: The number of channels as returned in the reply. +## +## .. bro:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_channel_info%(c: connection, is_orig: bool, chans: count%); + +## Generated for an IRC reply of type *whoreply*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## target_nick: The target nickname. +## +## channel: The channel. +## +## user: The user. +## +## host: The host. +## +## server: The server. +## +## nick: The nickname. +## +## params: The parameters. +## +## hops: The hop count. +## +## real_name: The real name. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_who_line%(c: connection, is_orig: bool, target_nick: string, + channel: string, user: string, host: string, + server: string, nick: string, params: string, + hops: count, real_name: string%); + + +## Generated for an IRC reply of type *namereply*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## c_type: The channel type. +## +## channel: The channel. +## +## users: The set of users. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_names_info%(c: connection, is_orig: bool, c_type: string, + channel: string, users: string_set%); + +## Generated for an IRC reply of type *whoisoperator*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname specified in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); + +## Generated for an IRC reply of type *whoischannels*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname specified in the reply. +## +## chans: The set of channels returned. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, + chans: string_set%); + +## Generated for an IRC reply of type *whoisuser*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname specified in the reply. +## +## user: The user name specified in the reply. +## +## host: The host name specified in the reply. +## +## real_name: The real name specified in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, + user: string, host: string, real_name: string%); + +## Generated for IRC replies of type *youreoper* and *nooperhost*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## got_oper: True if the *oper* command was executed successfully +## (*youreport*) and false otherwise (*nooperhost*). +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_part_message +## irc_password_message +event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); + +## Generated for an IRC reply of type *globalusers*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## msg: The message coming with the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%); + +## Generated for an IRC reply of type *topic*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## channel: The channel name specified in the reply. +## +## topic: The topic specified in the reply. +## +## .. bro:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%); + +## Generated for IRC messages of type *who*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## mask: The mask specified in the message. +## +## oper: True if the operator flag was set. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); + +## Generated for IRC messages of type *whois*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## server: TODO. +## +## users: TODO. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%); + +## Generated for IRC messages of type *oper*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## user: The user specified in the message. +## +## password: The password specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_response irc_part_message +## irc_password_message +event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%); + +## Generated for IRC messages of type *kick*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## chans: The channels specified in the message. +## +## users: The users specified in the message. +## +## comment: The comment specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_kick_message%(c: connection, is_orig: bool, prefix: string, + chans: string, users: string, comment: string%); + +## Generated for IRC messages of type *error*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## message: The textual description specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%); + +## Generated for IRC messages of type *invite*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## nickname: The nickname specified in the message. +## +## channel: The channel specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_invite_message%(c: connection, is_orig: bool, prefix: string, + nickname: string, channel: string%); + +## Generated for IRC messages of type *mode*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## params: The parameters coming with the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%); + +## Generated for IRC messages of type *squit*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## server: The server specified in the message. +## +## message: The textual description specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_squit_message%(c: connection, is_orig: bool, prefix: string, + server: string, message: string%); + +## Generated for IRC messages of type *dcc*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## target: The target specified in the message. +## +## dcc_type: The DCC type specified in the message. +## +## argument: The argument specified in the message. +## +## address: The address specified in the message. +## +## dest_port: The destination port specified in the message. +## +## size: The size specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_dcc_message%(c: connection, is_orig: bool, + prefix: string, target: string, + dcc_type: string, argument: string, + address: addr, dest_port: count, size: count%); + +## Generated for IRC messages of type *user*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## user: The user specified in the message. +## +## host: The host name specified in the message. +## +## server: The server name specified in the message. +## +## real_name: The real name specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%); + +## Generated for IRC messages of type *password*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## password: The password specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message +event irc_password_message%(c: connection, is_orig: bool, password: string%); diff --git a/src/analyzer/protocols/login/Login.cc b/src/analyzer/protocols/login/Login.cc index 2eb4900692..335b855f1d 100644 --- a/src/analyzer/protocols/login/Login.cc +++ b/src/analyzer/protocols/login/Login.cc @@ -10,6 +10,10 @@ #include "RE.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::login; + static RE_Matcher* re_skip_authentication = 0; static RE_Matcher* re_direct_login_prompts; static RE_Matcher* re_login_prompts; @@ -21,7 +25,7 @@ static RE_Matcher* re_login_timeouts; static RE_Matcher* init_RE(ListVal* l); Login_Analyzer::Login_Analyzer(const char* name, Connection* conn) -: TCP_ApplicationAnalyzer(name, conn) +: tcp::TCP_ApplicationAnalyzer(name, conn) { state = LOGIN_STATE_AUTHENTICATE; num_user_lines_seen = lines_scanned = 0; @@ -65,7 +69,7 @@ Login_Analyzer::~Login_Analyzer() void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); char* str = new char[length+1]; @@ -102,8 +106,8 @@ void Login_Analyzer::NewLine(bool orig, char* line) if ( state == LOGIN_STATE_AUTHENTICATE ) { - if ( TCP()->OrigState() == TCP_ENDPOINT_PARTIAL || - TCP()->RespState() == TCP_ENDPOINT_PARTIAL ) + if ( TCP()->OrigState() == tcp::TCP_ENDPOINT_PARTIAL || + TCP()->RespState() == tcp::TCP_ENDPOINT_PARTIAL ) state = LOGIN_STATE_CONFUSED; // unknown login state else { @@ -361,7 +365,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) void Login_Analyzer::EndpointEOF(bool orig) { - TCP_ApplicationAnalyzer::EndpointEOF(orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() ) { diff --git a/src/analyzer/protocols/login/Login.h b/src/analyzer/protocols/login/Login.h index 67b6a3c094..55d12c80da 100644 --- a/src/analyzer/protocols/login/Login.h +++ b/src/analyzer/protocols/login/Login.h @@ -5,6 +5,8 @@ #include "analyzer/protocols/tcp/TCP.h" +namespace analyzer { namespace login { + typedef enum { LOGIN_STATE_AUTHENTICATE, // trying to authenticate @@ -19,7 +21,7 @@ typedef enum { // Maximum # lines look after login for failure. #define MAX_LOGIN_LOOKAHEAD 10 -class Login_Analyzer : public TCP_ApplicationAnalyzer { +class Login_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Login_Analyzer(const char* name, Connection* conn); ~Login_Analyzer(); @@ -82,4 +84,6 @@ protected: int saw_ploy; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/NVT.cc b/src/analyzer/protocols/login/NVT.cc index d51d562bd5..2c79fd7195 100644 --- a/src/analyzer/protocols/login/NVT.cc +++ b/src/analyzer/protocols/login/NVT.cc @@ -9,6 +9,8 @@ #include "Event.h" #include "analyzer/protocols/tcp/TCP.h" +#include "events.bif.h" + #define IS_3_BYTE_OPTION(c) (c >= 251 && c <= 254) #define TELNET_OPT_SB 250 @@ -24,6 +26,8 @@ #define TELNET_IAC 255 +using namespace analyzer::login; + TelnetOption::TelnetOption(NVT_Analyzer* arg_endp, unsigned int arg_code) { endp = arg_endp; @@ -287,7 +291,7 @@ void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len) break; } - static_cast + static_cast (endp->Parent())->SetEnv(endp->IsOrig(), var_name, var_val); } @@ -360,7 +364,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */) NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig) -: ContentLine_Analyzer("NVT", conn, orig) +: tcp::ContentLine_Analyzer("NVT", conn, orig) { peer = 0; is_suboption = last_was_IAC = pending_IAC = 0; diff --git a/src/analyzer/protocols/login/NVT.h b/src/analyzer/protocols/login/NVT.h index da97a251f0..dea4c90ad5 100644 --- a/src/analyzer/protocols/login/NVT.h +++ b/src/analyzer/protocols/login/NVT.h @@ -5,7 +5,6 @@ #include "analyzer/protocols/tcp/ContentLine.h" - #define TELNET_OPTION_BINARY 0 #define TELNET_OPTION_TERMINAL 24 #define TELNET_OPTION_AUTHENTICATE 37 @@ -13,8 +12,9 @@ #define TELNET_OPTION_ENVIRON 39 #define NUM_TELNET_OPTIONS 5 -class NVT_Analyzer; +namespace analyzer { namespace login { +class NVT_Analyzer; class TelnetOption { public: @@ -123,7 +123,7 @@ protected: void InconsistentOption(unsigned int type); }; -class NVT_Analyzer : public ContentLine_Analyzer { +class NVT_Analyzer : public tcp::ContentLine_Analyzer { public: NVT_Analyzer(Connection* conn, bool orig); ~NVT_Analyzer(); @@ -170,4 +170,6 @@ protected: int num_options; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/Plugin.cc b/src/analyzer/protocols/login/Plugin.cc index 10166783c0..3f98f99d2c 100644 --- a/src/analyzer/protocols/login/Plugin.cc +++ b/src/analyzer/protocols/login/Plugin.cc @@ -8,11 +8,11 @@ BRO_PLUGIN_BEGIN(Login) BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin Analyzer"); - BRO_PLUGIN_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("NVT", 0); - BRO_PLUGIN_ANALYZER("Login", 0); + BRO_PLUGIN_ANALYZER("TELNET", login::Telnet_Analyzer); + BRO_PLUGIN_ANALYZER("RSH", login::Rsh_Analyzer); + BRO_PLUGIN_ANALYZER("RLOGIN", login::Rlogin_Analyzer); + BRO_PLUGIN_ANALYZER_BARE("NVT"); + BRO_PLUGIN_ANALYZER_BARE("Login"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rlogin"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocols/login/RSH.cc b/src/analyzer/protocols/login/RSH.cc index 09d403fe59..1890fc3098 100644 --- a/src/analyzer/protocols/login/RSH.cc +++ b/src/analyzer/protocols/login/RSH.cc @@ -6,12 +6,15 @@ #include "Event.h" #include "RSH.h" +#include "events.bif.h" + +using namespace analyzer::login; // FIXME: this code should probably be merged with Rlogin.cc. Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* arg_analyzer) -: ContentLine_Analyzer("CONTENTS_RSH", conn, orig) +: tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -28,7 +31,7 @@ Contents_Rsh_Analyzer::~Contents_Rsh_Analyzer() void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) { - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); assert(tcp); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); @@ -42,10 +45,10 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) switch ( state ) { case RSH_FIRST_NULL: - if ( endp_state == TCP_ENDPOINT_PARTIAL || + if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == TCP_ENDPOINT_CLOSED ) + endp_state == tcp::TCP_ENDPOINT_CLOSED ) { state = RSH_UNKNOWN; ++len, --data; // put back c and reprocess diff --git a/src/analyzer/protocols/login/RSH.h b/src/analyzer/protocols/login/RSH.h index 80cc4a6559..2738060a9f 100644 --- a/src/analyzer/protocols/login/RSH.h +++ b/src/analyzer/protocols/login/RSH.h @@ -6,6 +6,8 @@ #include "Login.h" #include "analyzer/protocols/tcp/ContentLine.h" +namespace analyzer { namespace login { + typedef enum { RSH_FIRST_NULL, // waiting to see first NUL RSH_CLIENT_USER_NAME, // scanning client user name up to NUL @@ -21,7 +23,7 @@ typedef enum { class Rsh_Analyzer; -class Contents_Rsh_Analyzer : public ContentLine_Analyzer { +class Contents_Rsh_Analyzer : public tcp::ContentLine_Analyzer { public: Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* analyzer); ~Contents_Rsh_Analyzer(); @@ -54,4 +56,6 @@ public: Contents_Rsh_Analyzer* contents_resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/Rlogin.cc b/src/analyzer/protocols/login/Rlogin.cc index b09e24d2cb..9a31a47aa1 100644 --- a/src/analyzer/protocols/login/Rlogin.cc +++ b/src/analyzer/protocols/login/Rlogin.cc @@ -6,9 +6,12 @@ #include "Event.h" #include "Rlogin.h" +#include "events.bif.h" + +using namespace analyzer::login; Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer) -: ContentLine_Analyzer("CONTENTLINE", conn, orig) +: tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -26,7 +29,7 @@ Contents_Rlogin_Analyzer::~Contents_Rlogin_Analyzer() void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) { - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); assert(tcp); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); @@ -40,10 +43,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) switch ( state ) { case RLOGIN_FIRST_NULL: - if ( endp_state == TCP_ENDPOINT_PARTIAL || + if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == TCP_ENDPOINT_CLOSED ) + endp_state == tcp::TCP_ENDPOINT_CLOSED ) { state = RLOGIN_UNKNOWN; ++len, --data; // put back c and reprocess @@ -85,10 +88,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) break; case RLOGIN_SERVER_ACK: - if ( endp_state == TCP_ENDPOINT_PARTIAL || + if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == TCP_ENDPOINT_CLOSED ) + endp_state == tcp::TCP_ENDPOINT_CLOSED ) { state = RLOGIN_UNKNOWN; ++len, --data; // put back c and reprocess diff --git a/src/analyzer/protocols/login/Rlogin.h b/src/analyzer/protocols/login/Rlogin.h index 0ad72b1908..c4cdfd7516 100644 --- a/src/analyzer/protocols/login/Rlogin.h +++ b/src/analyzer/protocols/login/Rlogin.h @@ -6,6 +6,8 @@ #include "Login.h" #include "analyzer/protocols/tcp/ContentLine.h" +namespace analyzer { namespace login { + typedef enum { RLOGIN_FIRST_NULL, // waiting to see first NUL RLOGIN_CLIENT_USER_NAME, // scanning client user name up to NUL @@ -29,7 +31,7 @@ typedef enum { class Rlogin_Analyzer; -class Contents_Rlogin_Analyzer : public ContentLine_Analyzer { +class Contents_Rlogin_Analyzer : public tcp::ContentLine_Analyzer { public: Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* analyzer); @@ -64,4 +66,6 @@ public: { return new Rlogin_Analyzer(conn); } }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/Telnet.cc b/src/analyzer/protocols/login/Telnet.cc index 47991177f2..c22b2afc5e 100644 --- a/src/analyzer/protocols/login/Telnet.cc +++ b/src/analyzer/protocols/login/Telnet.cc @@ -5,6 +5,10 @@ #include "Telnet.h" #include "NVT.h" +#include "events.bif.h" + +using namespace analyzer::login; + Telnet_Analyzer::Telnet_Analyzer(Connection* conn) : Login_Analyzer("TELNET", conn) { diff --git a/src/analyzer/protocols/login/Telnet.h b/src/analyzer/protocols/login/Telnet.h index 290382846b..a13fe230af 100644 --- a/src/analyzer/protocols/login/Telnet.h +++ b/src/analyzer/protocols/login/Telnet.h @@ -5,6 +5,8 @@ #include "Login.h" +namespace analyzer { namespace login { + class Telnet_Analyzer : public Login_Analyzer { public: Telnet_Analyzer(Connection* conn); @@ -14,4 +16,6 @@ public: { return new Telnet_Analyzer(conn); } }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/events.bif b/src/analyzer/protocols/login/events.bif index e69de29bb2..084f53eaad 100644 --- a/src/analyzer/protocols/login/events.bif +++ b/src/analyzer/protocols/login/events.bif @@ -0,0 +1,395 @@ +## Generated for client side commands on an RSH connection. +## +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. +## +## c: The connection. +## +## client_user: The client-side user name as sent in the initial protocol +## handshake. +## +## server_user: The server-side user name as sent in the initial protocol +## handshake. +## +## line: The command line sent in the request. +## +## new_session: True if this is the first command of the Rsh session. +## +## .. bro:see:: rsh_reply login_confused login_confused_text login_display +## login_failure login_input_line login_output_line login_prompt login_success +## login_terminal +## +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%); + +## Generated for client side commands on an RSH connection. +## +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. +## +## c: The connection. +## +## client_user: The client-side user name as sent in the initial protocol +## handshake. +## +## server_user: The server-side user name as sent in the initial protocol +## handshake. +## +## line: The command line sent in the request. +## +## .. bro:see:: rsh_request login_confused login_confused_text login_display +## login_failure login_input_line login_output_line login_prompt login_success +## login_terminal +## +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%); + +## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects +## Telnet/Rlogin sessions to heuristically extract username and password +## information as well as the text returned by the login server. This event is +## raised if a login attempt appears to have been unsuccessful. +## +## c: The connection. +## +## user: The user name tried. +## +## client_user: For Telnet connections, this is an empty string, but for Rlogin +## connections, it is the client name passed in the initial authentication +## information (to check against .rhosts). +## +## password: The password tried. +## +## line: The line of text that led the analyzer to conclude that the +## authentication had failed. +## +## .. bro:see:: login_confused login_confused_text login_display login_input_line +## login_output_line login_prompt login_success login_terminal direct_login_prompts +## get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs +## login_timeouts set_login_state +## +## .. note:: The login analyzer depends on a set of script-level variables that +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); + +## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects +## Telnet/Rlogin sessions to heuristically extract username and password +## information as well as the text returned by the login server. This event is +## raised if a login attempt appears to have been successful. +## +## c: The connection. +## +## user: The user name used. +## +## client_user: For Telnet connections, this is an empty string, but for Rlogin +## connections, it is the client name passed in the initial authentication +## information (to check against .rhosts). +## +## password: The password used. +## +## line: The line of text that led the analyzer to conclude that the +## authentication had succeeded. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_output_line login_prompt login_terminal +## direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs +## login_prompts login_success_msgs login_timeouts set_login_state +## +## .. note:: The login analyzer depends on a set of script-level variables that +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); + +## Generated for lines of input on Telnet/Rlogin sessions. The line will have +## control characters (such as in-band Telnet options) removed. +## +## c: The connection. +## +## line: The input line. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_output_line login_prompt login_success login_terminal rsh_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_input_line%(c: connection, line: string%); + +## Generated for lines of output on Telnet/Rlogin sessions. The line will have +## control characters (such as in-band Telnet options) removed. +## +## c: The connection. +## +## line: The ouput line. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_prompt login_success login_terminal rsh_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_output_line%(c: connection, line: string%); + +## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's +## *login* analyzer uses a number of heuristics to extract authentication +## information, it may become confused. If it can no longer correctly track +## the authentication dialog, it raises this event. +## +## c: The connection. +## +## msg: Gives the particular problem the heuristics detected (for example, +## ``multiple_login_prompts`` means that the engine saw several login +## prompts in a row, without the type-ahead from the client side presumed +## necessary to cause them) +## +## line: The line of text that caused the heuristics to conclude they were +## confused. +## +## .. bro:see:: login_confused_text login_display login_failure login_input_line login_output_line +## login_prompt login_success login_terminal direct_login_prompts get_login_state +## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs +## login_timeouts set_login_state +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_confused%(c: connection, msg: string, line: string%); + +## Generated after getting confused while tracking a Telnet/Rlogin +## authentication dialog. The *login* analyzer generates this even for every +## line of user input after it has reported :bro:id:`login_confused` for a +## connection. +## +## c: The connection. +## +## line: The line the user typed. +## +## .. bro:see:: login_confused login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal direct_login_prompts +## get_login_state login_failure_msgs login_non_failure_msgs login_prompts +## login_success_msgs login_timeouts set_login_state +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_confused_text%(c: connection, line: string%); + +## Generated for clients transmitting a terminal type in a Telnet session. This +## information is extracted out of environment variables sent as Telnet options. +## +## c: The connection. +## +## terminal: The TERM value transmitted. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_output_line login_prompt login_success +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_terminal%(c: connection, terminal: string%); + +## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This +## information is extracted out of environment variables sent as Telnet options. +## +## c: The connection. +## +## display: The DISPLAY transmitted. +## +## .. bro:see:: login_confused login_confused_text login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_display%(c: connection, display: string%); + +## Generated when a Telnet authentication has been successful. The Telnet +## protocol includes options for negotiating authentication. When such an +## option is sent from client to server and the server replies that it accepts +## the authentication, then the event engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## name: The authenticated name. +## +## c: The connection. +## +## .. bro:see:: authentication_rejected authentication_skipped login_success +## +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines success by watching +## session data. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event authentication_accepted%(name: string, c: connection%); + +## Generated when a Telnet authentication has been unsuccessful. The Telnet +## protocol includes options for negotiating authentication. When such an option +## is sent from client to server and the server replies that it did not accept +## the authentication, then the event engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## name: The attempted authentication name. +## +## c: The connection. +## +## .. bro:see:: authentication_accepted authentication_skipped login_failure +## +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines failure by watching +## session data. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event authentication_rejected%(name: string, c: connection%); + +## Generated for Telnet/Rlogin sessions when a pattern match indicates +## that no authentication is performed. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts +## get_login_state login_failure_msgs login_non_failure_msgs login_prompts +## login_success_msgs login_timeouts set_login_state +## +## .. note:: The login analyzer depends on a set of script-level variables that +## need to be configured with patterns identifying activity. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event authentication_skipped%(c: connection%); + +## Generated for clients transmitting a terminal prompt in a Telnet session. +## This information is extracted out of environment variables sent as Telnet +## options. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## prompt: The TTYPROMPT transmitted. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_output_line login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_prompt%(c: connection, prompt: string%); + +## Generated for Telnet sessions when encryption is activated. The Telnet +## protocol includes options for negotiating encryption. When such a series of +## options is successfully negotiated, the event engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped +## login_confused login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +event activating_encryption%(c: connection%); + +## Generated for an inconsistent Telnet option. Telnet options are specified +## by the client and server stating which options they are willing to +## support vs. which they are not, and then instructing one another which in +## fact they should or should not use for the current connection. If the event +## engine sees a peer violate either what the other peer has instructed it to +## do, or what it itself offered in terms of options in the past, then the +## engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: bad_option bad_option_termination authentication_accepted +## authentication_rejected authentication_skipped login_confused +## login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +event inconsistent_option%(c: connection%); + +## Generated for an ill-formed or unrecognized Telnet option. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted +## authentication_rejected authentication_skipped login_confused +## login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event bad_option%(c: connection%); + +## Generated for a Telnet option that's incorrectly terminated. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: inconsistent_option bad_option authentication_accepted +## authentication_rejected authentication_skipped login_confused +## login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event bad_option_termination%(c: connection%); diff --git a/src/analyzer/protocols/mime/CMakeLists.txt b/src/analyzer/protocols/mime/CMakeLists.txt new file mode 100644 index 0000000000..1df45cd395 --- /dev/null +++ b/src/analyzer/protocols/mime/CMakeLists.txt @@ -0,0 +1,15 @@ + +# This is not an actual analyzer, but used by others. We still +# maintain it here along with the other analyzers because conceptually +# it's also parsing a protocol just like them. The current structure +# is merely a left-over from when this code was written. + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(MIME) +bro_plugin_cc(MIME.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() + diff --git a/src/MIME.cc b/src/analyzer/protocols/mime/MIME.cc similarity index 99% rename from src/MIME.cc rename to src/analyzer/protocols/mime/MIME.cc index 011857ee6e..3a6a1ace13 100644 --- a/src/MIME.cc +++ b/src/analyzer/protocols/mime/MIME.cc @@ -6,6 +6,8 @@ #include "Reporter.h" #include "digest.h" +#include "events.bif.h" + // Here are a few things to do: // // 1. Add a Bro internal function 'stop_deliver_data_of_entity' so @@ -16,44 +18,10 @@ // headers of form: =; =; // =; ... (so that +namespace analyzer { namespace mime { + static const data_chunk_t null_data_chunk = { 0, 0 }; -int is_null_data_chunk(data_chunk_t b) - { - return b.data == 0; - } - -int fputs(data_chunk_t b, FILE* fp) - { - for ( int i = 0; i < b.length; ++i ) - if ( fputc(b.data[i], fp) == EOF ) - return EOF; - return 0; - } - -StringVal* new_string_val(int length, const char* data) - { - return new StringVal(length, data); - } - -StringVal* new_string_val(const char* data, const char* end_of_data) - { - return new StringVal(end_of_data - data, data); - } - -StringVal* new_string_val(const data_chunk_t buf) - { - return new_string_val(buf.length, buf.data); - } - -data_chunk_t get_data_chunk(BroString* s) - { - data_chunk_t b; - b.length = s->Len(); - b.data = (const char*) s->Bytes(); - return b; - } - int mime_header_only = 0; int mime_decode_data = 1; int mime_submit_data = 1; @@ -129,6 +97,319 @@ static const char* MIMEContentEncodingName[] = { 0, }; +int is_null_data_chunk(data_chunk_t b) + { + return b.data == 0; + } + +int is_lws(char ch) + { + return ch == 9 || ch == 32; + } + +StringVal* new_string_val(int length, const char* data) + { + return new StringVal(length, data); + } + +StringVal* new_string_val(const char* data, const char* end_of_data) + { + return new StringVal(end_of_data - data, data); + } + +StringVal* new_string_val(const data_chunk_t buf) + { + return new_string_val(buf.length, buf.data); + } + +static data_chunk_t get_data_chunk(BroString* s) + { + data_chunk_t b; + b.length = s->Len(); + b.data = (const char*) s->Bytes(); + return b; + } + +int fputs(data_chunk_t b, FILE* fp) + { + for ( int i = 0; i < b.length; ++i ) + if ( fputc(b.data[i], fp) == EOF ) + return EOF; + return 0; + } + +int strcasecmp_n(data_chunk_t s, const char* t) + { + return ::strcasecmp_n(s.length, s.data, t); + } + +int MIME_count_leading_lws(int len, const char* data) + { + int i; + for ( i = 0; i < len; ++i ) + if ( ! is_lws(data[i]) ) + break; + return i; + } + +int MIME_count_trailing_lws(int len, const char* data) + { + int i; + for ( i = 0; i < len; ++i ) + if ( ! is_lws(data[len - 1 - i]) ) + break; + return i; + } + +// See RFC 2822, page 11 +int MIME_skip_comments(int len, const char* data) + { + if ( len == 0 || data[0] != '(' ) + return 0; + + int par = 0; + for ( int i = 0; i < len; ++i ) + { + switch ( data[i] ) { + case '(': + ++par; + break; + + case ')': + --par; + if ( par == 0 ) + return i + 1; + break; + + case '\\': + ++i; + break; + } + } + + return len; + } + +// Skip over lws and comments, but not tspecials. Do not use this +// function in quoted-string or comments. +int MIME_skip_lws_comments(int len, const char* data) + { + int i = 0; + while ( i < len ) + { + if ( is_lws(data[i]) ) + ++i; + else + { + if ( data[i] == '(' ) + i += MIME_skip_comments(len - i, data + i); + else + return i; + } + } + + return len; + } + +int MIME_get_field_name(int len, const char* data, data_chunk_t* name) + { + int i = MIME_skip_lws_comments(len, data); + while ( i < len ) + { + int j; + if ( MIME_is_field_name_char(data[i]) ) + { + name->data = data + i; + + for ( j = i; j < len; ++j ) + if ( ! MIME_is_field_name_char(data[j]) ) + break; + + name->length = j - i; + return j; + } + + j = MIME_skip_lws_comments(len - i, data + i); + i += (j > 0) ? j : 1; + } + + return -1; + } + +// See RFC 2045, page 12. +int MIME_is_tspecial (char ch) + { + return ch == '(' || ch == ')' || ch == '<' || ch == '>' || ch == '@' || + ch == ',' || ch == ';' || ch == ':' || ch == '\\' || ch == '"' || + ch == '/' || ch == '[' || ch == ']' || ch == '?' || ch == '='; + } + +int MIME_is_field_name_char (char ch) + { + return ch >= 33 && ch <= 126 && ch != ':'; + } + +int MIME_is_token_char (char ch) + { + return ch >= 33 && ch <= 126 && ! MIME_is_tspecial(ch); + } + +// See RFC 2045, page 12. +// A token is composed of characters that are not SPACE, CTLs or tspecials +int MIME_get_token(int len, const char* data, data_chunk_t* token) + { + int i = MIME_skip_lws_comments(len, data); + while ( i < len ) + { + int j; + + if ( MIME_is_token_char(data[i]) ) + { + token->data = (data + i); + for ( j = i; j < len; ++j ) + { + if ( ! MIME_is_token_char(data[j]) ) + break; + } + + token->length = j - i; + return j; + } + + j = MIME_skip_lws_comments(len - i, data + i); + i += (j > 0) ? j : 1; + } + + return -1; + } + +int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second) + { + int offset; + const char* data_start = data; + + offset = MIME_get_token(len, data, first); + if ( offset < 0 ) + { + // DEBUG_MSG("first token missing in slash token pair"); + return -1; + } + + data += offset; + len -= offset; + + offset = MIME_skip_lws_comments(len, data); + if ( offset < 0 || offset >= len || data[offset] != '/' ) + { + // DEBUG_MSG("/ not found in slash token pair"); + return -1; + } + + ++offset; + data += offset; + len -= offset; + + offset = MIME_get_token(len, data, second); + if ( offset < 0 ) + { + // DEBUG_MSG("second token missing in slash token pair"); + return -1; + } + + data += offset; + len -= offset; + + return data - data_start; + } + +// See RFC 2822, page 13. +int MIME_get_quoted_string(int len, const char* data, data_chunk_t* str) + { + int offset = MIME_skip_lws_comments(len, data); + + len -= offset; + data += offset; + + if ( len <= 0 || *data != '"' ) + return -1; + + for ( int i = 1; i < len; ++i ) + { + switch ( data[i] ) { + case '"': + str->data = data + 1; + str->length = i - 1; + return offset + i + 1; + + case '\\': + ++i; + break; + } + } + + return -1; + } + +int MIME_get_value(int len, const char* data, BroString*& buf) + { + int offset = MIME_skip_lws_comments(len, data); + + len -= offset; + data += offset; + + if ( len > 0 && *data == '"' ) + { + data_chunk_t str; + int end = MIME_get_quoted_string(len, data, &str); + if ( end < 0 ) + return -1; + + buf = MIME_decode_quoted_pairs(str); + return offset + end; + } + + else + { + data_chunk_t str; + int end = MIME_get_token(len, data, &str); + if ( end < 0 ) + return -1; + + buf = new BroString((const u_char*)str.data, str.length, 1); + return offset + end; + } + } + +// Decode each quoted-pair: a '\' followed by a character by the +// quoted character. The decoded string is returned. + +BroString* MIME_decode_quoted_pairs(data_chunk_t buf) + { + const char* data = buf.data; + char* dest = new char[buf.length+1]; + int j = 0; + for ( int i = 0; i < buf.length; ++i ) + if ( data[i] == '\\' ) + { + if ( ++i < buf.length ) + dest[j++] = data[i]; + else + { + // a trailing '\' -- don't know what + // to do with it -- ignore it. + } + } + else + dest[j++] = data[i]; + dest[j] = 0; + + return new BroString(1, (byte_vec) dest, j); + } + + +} } // namespace analyzer::* + +using namespace analyzer::mime; MIME_Multiline::MIME_Multiline() { @@ -1193,276 +1474,3 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail) } } - -int strcasecmp_n(data_chunk_t s, const char* t) - { - return strcasecmp_n(s.length, s.data, t); - } - -int is_lws(char ch) - { - return ch == 9 || ch == 32; - } - -int MIME_count_leading_lws(int len, const char* data) - { - int i; - for ( i = 0; i < len; ++i ) - if ( ! is_lws(data[i]) ) - break; - return i; - } - -int MIME_count_trailing_lws(int len, const char* data) - { - int i; - for ( i = 0; i < len; ++i ) - if ( ! is_lws(data[len - 1 - i]) ) - break; - return i; - } - -// See RFC 2822, page 11 -int MIME_skip_comments(int len, const char* data) - { - if ( len == 0 || data[0] != '(' ) - return 0; - - int par = 0; - for ( int i = 0; i < len; ++i ) - { - switch ( data[i] ) { - case '(': - ++par; - break; - - case ')': - --par; - if ( par == 0 ) - return i + 1; - break; - - case '\\': - ++i; - break; - } - } - - return len; - } - -// Skip over lws and comments, but not tspecials. Do not use this -// function in quoted-string or comments. -int MIME_skip_lws_comments(int len, const char* data) - { - int i = 0; - while ( i < len ) - { - if ( is_lws(data[i]) ) - ++i; - else - { - if ( data[i] == '(' ) - i += MIME_skip_comments(len - i, data + i); - else - return i; - } - } - - return len; - } - -int MIME_get_field_name(int len, const char* data, data_chunk_t* name) - { - int i = MIME_skip_lws_comments(len, data); - while ( i < len ) - { - int j; - if ( MIME_is_field_name_char(data[i]) ) - { - name->data = data + i; - - for ( j = i; j < len; ++j ) - if ( ! MIME_is_field_name_char(data[j]) ) - break; - - name->length = j - i; - return j; - } - - j = MIME_skip_lws_comments(len - i, data + i); - i += (j > 0) ? j : 1; - } - - return -1; - } - -// See RFC 2045, page 12. -int MIME_is_tspecial (char ch) - { - return ch == '(' || ch == ')' || ch == '<' || ch == '>' || ch == '@' || - ch == ',' || ch == ';' || ch == ':' || ch == '\\' || ch == '"' || - ch == '/' || ch == '[' || ch == ']' || ch == '?' || ch == '='; - } - -int MIME_is_field_name_char (char ch) - { - return ch >= 33 && ch <= 126 && ch != ':'; - } - -int MIME_is_token_char (char ch) - { - return ch >= 33 && ch <= 126 && ! MIME_is_tspecial(ch); - } - -// See RFC 2045, page 12. -// A token is composed of characters that are not SPACE, CTLs or tspecials -int MIME_get_token(int len, const char* data, data_chunk_t* token) - { - int i = MIME_skip_lws_comments(len, data); - while ( i < len ) - { - int j; - - if ( MIME_is_token_char(data[i]) ) - { - token->data = (data + i); - for ( j = i; j < len; ++j ) - { - if ( ! MIME_is_token_char(data[j]) ) - break; - } - - token->length = j - i; - return j; - } - - j = MIME_skip_lws_comments(len - i, data + i); - i += (j > 0) ? j : 1; - } - - return -1; - } - -int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second) - { - int offset; - const char* data_start = data; - - offset = MIME_get_token(len, data, first); - if ( offset < 0 ) - { - // DEBUG_MSG("first token missing in slash token pair"); - return -1; - } - - data += offset; - len -= offset; - - offset = MIME_skip_lws_comments(len, data); - if ( offset < 0 || offset >= len || data[offset] != '/' ) - { - // DEBUG_MSG("/ not found in slash token pair"); - return -1; - } - - ++offset; - data += offset; - len -= offset; - - offset = MIME_get_token(len, data, second); - if ( offset < 0 ) - { - // DEBUG_MSG("second token missing in slash token pair"); - return -1; - } - - data += offset; - len -= offset; - - return data - data_start; - } - -// See RFC 2822, page 13. -int MIME_get_quoted_string(int len, const char* data, data_chunk_t* str) - { - int offset = MIME_skip_lws_comments(len, data); - - len -= offset; - data += offset; - - if ( len <= 0 || *data != '"' ) - return -1; - - for ( int i = 1; i < len; ++i ) - { - switch ( data[i] ) { - case '"': - str->data = data + 1; - str->length = i - 1; - return offset + i + 1; - - case '\\': - ++i; - break; - } - } - - return -1; - } - -int MIME_get_value(int len, const char* data, BroString*& buf) - { - int offset = MIME_skip_lws_comments(len, data); - - len -= offset; - data += offset; - - if ( len > 0 && *data == '"' ) - { - data_chunk_t str; - int end = MIME_get_quoted_string(len, data, &str); - if ( end < 0 ) - return -1; - - buf = MIME_decode_quoted_pairs(str); - return offset + end; - } - - else - { - data_chunk_t str; - int end = MIME_get_token(len, data, &str); - if ( end < 0 ) - return -1; - - buf = new BroString((const u_char*)str.data, str.length, 1); - return offset + end; - } - } - -// Decode each quoted-pair: a '\' followed by a character by the -// quoted character. The decoded string is returned. - -BroString* MIME_decode_quoted_pairs(data_chunk_t buf) - { - const char* data = buf.data; - char* dest = new char[buf.length+1]; - int j = 0; - for ( int i = 0; i < buf.length; ++i ) - if ( data[i] == '\\' ) - { - if ( ++i < buf.length ) - dest[j++] = data[i]; - else - { - // a trailing '\' -- don't know what - // to do with it -- ignore it. - } - } - else - dest[j++] = data[i]; - dest[j] = 0; - - return new BroString(1, (byte_vec) dest, j); - } diff --git a/src/MIME.h b/src/analyzer/protocols/mime/MIME.h similarity index 99% rename from src/MIME.h rename to src/analyzer/protocols/mime/MIME.h index 3f8c3281fc..d6ef2b5375 100644 --- a/src/MIME.h +++ b/src/analyzer/protocols/mime/MIME.h @@ -12,6 +12,8 @@ using namespace std; #include "BroString.h" #include "analyzer/Analyzer.h" +namespace analyzer { namespace mime { + // MIME: Multipurpose Internet Mail Extensions // Follows RFC 822 & 2822 (Internet Mail), 2045-2049 (MIME) // See related files: SMTP.h and SMTP.cc @@ -273,4 +275,6 @@ extern int MIME_get_value(int len, const char* data, BroString*& buf); extern int MIME_get_field_name(int len, const char* data, data_chunk_t* name); extern BroString* MIME_decode_quoted_pairs(data_chunk_t buf); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/mime/Plugin.cc b/src/analyzer/protocols/mime/Plugin.cc new file mode 100644 index 0000000000..98dee2a2eb --- /dev/null +++ b/src/analyzer/protocols/mime/Plugin.cc @@ -0,0 +1,7 @@ + +#include "plugin/Plugin.h" + +BRO_PLUGIN_BEGIN(MIME) + BRO_PLUGIN_DESCRIPTION("MIME Parsing Code"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/mime/events.bif b/src/analyzer/protocols/mime/events.bif new file mode 100644 index 0000000000..e9e5f66fda --- /dev/null +++ b/src/analyzer/protocols/mime/events.bif @@ -0,0 +1,196 @@ +## Generated when starting to parse an email MIME entity. MIME is a +## protocol-independent data format for encoding text and files, along with +## corresponding metadata, for transmission. Bro raises this event when it +## begins parsing a MIME entity extracted from an email protocol. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## .. bro:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data +## http_begin_entity +## +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_begin_entity` instead. +event mime_begin_entity%(c: connection%); + +## Generated when finishing parsing an email MIME entity. MIME is a +## protocol-independent data format for encoding text and files, along with +## corresponding metadata, for transmission. Bro raises this event when it +## finished parsing a MIME entity extracted from an email protocol. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data +## http_end_entity +## +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_end_entity` instead. +event mime_end_entity%(c: connection%); + +## Generated for individual MIME headers extracted from email MIME +## entities. MIME is a protocol-independent data format for encoding text and +## files, along with corresponding metadata, for transmission. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## h: The parsed MIME header. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_segment_data +## http_header http_all_headers +## +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. +event mime_one_header%(c: connection, h: mime_header_rec%); + +## Generated for MIME headers extracted from email MIME entities, passing all +## headers at once. MIME is a protocol-independent data format for encoding +## text and files, along with corresponding metadata, for transmission. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## hlist: A *table* containing all headers extracted from the current entity. +## The table is indexed by the position of the header (1 for the first, +## 2 for the second, etc.). +## +## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data +## http_header http_all_headers +## +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. +event mime_all_headers%(c: connection, hlist: mime_header_list%); + +## Generated for chunks of decoded MIME data from email MIME entities. MIME +## is a protocol-independent data format for encoding text and files, along with +## corresponding metadata, for transmission. As Bro parses the data of an +## entity, it raises a sequence of these events, each coming as soon as a new +## chunk of data is available. In contrast, there is also +## :bro:id:`mime_entity_data`, which passes all of an entities data at once +## in a single block. While the latter is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer +## the data. Thus, if possible, this event should be preferred. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## length: The length of *data*. +## +## data: The raw data of one segment of the current entity. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data +## mime_segment_length mime_segment_overlap_length +## +## .. note:: Bro also extracts MIME data from HTTP sessions. For those, +## however, it raises :bro:id:`http_entity_data` (sic!) instead. +event mime_segment_data%(c: connection, length: count, data: string%); + +## Generated for data decoded from an email MIME entity. This event delivers +## the complete content of a single MIME entity. In contrast, there is also +## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as +## they come in. While ``mime_entity_data`` is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer the +## data. Thus, if possible, the latter should be preferred. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## length: The length of *data*. +## +## data: The raw data of the complete entity. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_event mime_one_header mime_segment_data +## +## .. note:: While Bro also decodes MIME entities extracted from HTTP +## sessions, there's no corresponding event for that currently. +event mime_entity_data%(c: connection, length: count, data: string%); + +## Generated for passing on all data decoded from a single email MIME +## message. If an email message has more than one MIME entity, this event +## combines all their data into a single value for analysis. Note that because +## of the potentially significant buffering necessary, using this event can be +## expensive. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## length: The length of *data*. +## +## data: The raw data of all MIME entities concatenated. +## +## .. bro:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data +## +## .. note:: While Bro also decodes MIME entities extracted from HTTP +## sessions, there's no corresponding event for that currently. +event mime_all_data%(c: connection, length: count, data: string%); + +## Generated for errors found when decoding email MIME entities. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## event_type: A string describing the general category of the problem found +## (e.g., ``illegal format``). +## +## detail: Further more detailed description of the error. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event +## +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_event` instead. +event mime_event%(c: connection, event_type: string, detail: string%); + +## Generated for decoded MIME entities extracted from email messages, passing on +## their MD5 checksums. Bro computes the MD5 over the complete decoded data of +## each MIME entity. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## content_len: The length of the entity being hashed. +## +## hash_value: The MD5 hash. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data +## +## .. note:: While Bro also decodes MIME entities extracted from HTTP +## sessions, there's no corresponding event for that currently. +event mime_content_hash%(c: connection, content_len: count, hash_value: string%); + diff --git a/src/analyzer/protocols/modbus/Modbus.cc b/src/analyzer/protocols/modbus/Modbus.cc index 841638cd0b..b36b916d06 100644 --- a/src/analyzer/protocols/modbus/Modbus.cc +++ b/src/analyzer/protocols/modbus/Modbus.cc @@ -2,6 +2,10 @@ #include "Modbus.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::modbus; + ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("MODBUS", c) { diff --git a/src/analyzer/protocols/modbus/Modbus.h b/src/analyzer/protocols/modbus/Modbus.h index 41b0267dc8..063014cf2b 100644 --- a/src/analyzer/protocols/modbus/Modbus.h +++ b/src/analyzer/protocols/modbus/Modbus.h @@ -4,7 +4,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "modbus_pac.h" -class ModbusTCP_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace modbus { + +class ModbusTCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: ModbusTCP_Analyzer(Connection* conn); virtual ~ModbusTCP_Analyzer(); @@ -22,4 +24,6 @@ protected: binpac::ModbusTCP::ModbusTCP_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/modbus/Plugin.cc b/src/analyzer/protocols/modbus/Plugin.cc index 9c53c8b814..ba93063560 100644 --- a/src/analyzer/protocols/modbus/Plugin.cc +++ b/src/analyzer/protocols/modbus/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Modbus) BRO_PLUGIN_DESCRIPTION("Modbus Analyzer"); - BRO_PLUGIN_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("MODBUS", modbus::ModbusTCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/modbus/events.bif b/src/analyzer/protocols/modbus/events.bif index e69de29bb2..1cd17381ee 100644 --- a/src/analyzer/protocols/modbus/events.bif +++ b/src/analyzer/protocols/modbus/events.bif @@ -0,0 +1,295 @@ +## Generated for any modbus message regardless if the particular function +## is further supported or not. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## is_orig: True if the event is raised for the originator side. +event modbus_message%(c: connection, headers: ModbusHeaders, is_orig: bool%); + +## Generated for any modbus exception message. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## code: The exception code. +event modbus_exception%(c: connection, headers: ModbusHeaders, code: count%); + +## Generated for a Modbus read coils request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address where of the first coil to be read. +## +## quantity: The number of coils to be read. +event modbus_read_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read coils response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## coils: The coil values returned from the device. +event modbus_read_coils_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); + +## Generated for a Modbus read discrete inputs request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first coil to be read. +## +## quantity: The number of coils to be read. +event modbus_read_discrete_inputs_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read discrete inputs response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## coils: The coil values returned from the device. +event modbus_read_discrete_inputs_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); + +## Generated for a Modbus read holding registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register to be read. +## +## quantity: The number of registers to be read. +event modbus_read_holding_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read holding registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## registers: The register values returned from the device. +event modbus_read_holding_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); + +## Generated for a Modbus read input registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register to be read. +## +## quantity: The number of registers to be read. +event modbus_read_input_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read input registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## registers: The register values returned from the device. +event modbus_read_input_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); + +## Generated for a Modbus write single coil request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the coil to be written. +## +## value: The value to be written to the coil. +event modbus_write_single_coil_request%(c: connection, headers: ModbusHeaders, address: count, value: bool%); + +## Generated for a Modbus write single coil response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the coil that was written. +## +## value: The value that was written to the coil. +event modbus_write_single_coil_response%(c: connection, headers: ModbusHeaders, address: count, value: bool%); + +## Generated for a Modbus write single register request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register to be written. +## +## value: The value to be written to the register. +event modbus_write_single_register_request%(c: connection, headers: ModbusHeaders, address: count, value: count%); + +## Generated for a Modbus write single register response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register that was written. +## +## value: The value that was written to the register. +event modbus_write_single_register_response%(c: connection, headers: ModbusHeaders, address: count, value: count%); + +## Generated for a Modbus write multiple coils request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first coil to be written. +## +## value: The values to be written to the coils. +event modbus_write_multiple_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils%); + +## Generated for a Modbus write multiple coils response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first coil that was written. +## +## quantity: The quantity of coils that were written. +event modbus_write_multiple_coils_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus write multiple registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register to be written. +## +## registers: The values to be written to the registers. +event modbus_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, registers: ModbusRegisters%); + +## Generated for a Modbus write multiple registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register that was written. +## +## quantity: The quantity of registers that were written. +event modbus_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read file record request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_read_file_record_request%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus read file record response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_read_file_record_response%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus write file record request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_write_file_record_request%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus write file record response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_write_file_record_response%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus mask write register request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register where the masks should be applied. +## +## and_mask: The value of the logical AND mask to apply to the register. +## +## or_mask: The value of the logical OR mask to apply to the register. +event modbus_mask_write_register_request%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); + +## Generated for a Modbus mask write register request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register where the masks were applied. +## +## and_mask: The value of the logical AND mask applied register. +## +## or_mask: The value of the logical OR mask applied to the register. +event modbus_mask_write_register_response%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); + +## Generated for a Modbus read/write multiple registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## read_start_address: The memory address of the first register to be read. +## +## read_quantity: The number of registers to read. +## +## write_start_address: The memory address of the first register to be written. +## +## write_registers: The values to be written to the registers. +event modbus_read_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, read_start_address: count, read_quantity: count, write_start_address: count, write_registers: ModbusRegisters%); + +## Generated for a Modbus read/write multiple registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## written_registers: The register values read from the registers specified in the request. +event modbus_read_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, written_registers: ModbusRegisters%); + +## Generated for a Modbus read FIFO queue request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The address of the FIFO queue to read. +event modbus_read_fifo_queue_request%(c: connection, headers: ModbusHeaders, start_address: count%); + +## Generated for a Modbus read FIFO queue response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## fifos: The register values read from the FIFO queue on the device. +event modbus_read_fifo_queue_response%(c: connection, headers: ModbusHeaders, fifos: ModbusRegisters%); + diff --git a/src/analyzer/protocols/modbus/modbus.pac b/src/analyzer/protocols/modbus/modbus.pac index 9148997295..28b657abc5 100644 --- a/src/analyzer/protocols/modbus/modbus.pac +++ b/src/analyzer/protocols/modbus/modbus.pac @@ -9,6 +9,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer ModbusTCP withcontext { connection: ModbusTCP_Conn; flow: ModbusTCP_Flow; diff --git a/src/analyzer/protocols/ncp/NCP.cc b/src/analyzer/protocols/ncp/NCP.cc index bdf484cad7..75b6c9f4be 100644 --- a/src/analyzer/protocols/ncp/NCP.cc +++ b/src/analyzer/protocols/ncp/NCP.cc @@ -6,7 +6,12 @@ #include #include +#include "NCP.h" + +#include "events.bif.h" + using namespace std; +using namespace analyzer::ncp; #include "NCP.h" #include "Sessions.h" @@ -150,15 +155,15 @@ void NCP_FrameBuffer::compute_msg_length() } Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* arg_session) -: TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) { session = arg_session; resync = true; - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); if ( tcp ) resync = (orig ? tcp->OrigState() : tcp->RespState()) != - TCP_ENDPOINT_ESTABLISHED; + tcp::TCP_ENDPOINT_ESTABLISHED; } Contents_NCP_Analyzer::~Contents_NCP_Analyzer() @@ -167,9 +172,9 @@ Contents_NCP_Analyzer::~Contents_NCP_Analyzer() void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); if ( tcp && tcp->HadGap(orig) ) return; @@ -208,14 +213,14 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig void Contents_NCP_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_SupportAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); buffer.Reset(); resync = true; } NCP_Analyzer::NCP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("NCP", conn) +: tcp::TCP_ApplicationAnalyzer("NCP", conn) { session = new NCP_Session(this); o_ncp = new Contents_NCP_Analyzer(conn, true, session); diff --git a/src/analyzer/protocols/ncp/NCP.h b/src/analyzer/protocols/ncp/NCP.h index ae54b7b9ee..0ab73707fb 100644 --- a/src/analyzer/protocols/ncp/NCP.h +++ b/src/analyzer/protocols/ncp/NCP.h @@ -23,6 +23,8 @@ #include "ncp_pac.h" +namespace analyzer { namespace ncp { + // Create a general NCP_Session class so that it can be used in // case the RPC conversation is tunneled through other connections, // e.g., through an SMB session. @@ -81,7 +83,7 @@ protected: void compute_msg_length(); }; -class Contents_NCP_Analyzer : public TCP_SupportAnalyzer { +class Contents_NCP_Analyzer : public tcp::TCP_SupportAnalyzer { public: Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* session); ~Contents_NCP_Analyzer(); @@ -97,7 +99,7 @@ protected: bool resync; }; -class NCP_Analyzer : public TCP_ApplicationAnalyzer { +class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: NCP_Analyzer(Connection* conn); virtual ~NCP_Analyzer(); @@ -112,4 +114,6 @@ protected: Contents_NCP_Analyzer * r_ncp; }; +} } // namespace analyzer::* + #endif /* ncp_h */ diff --git a/src/analyzer/protocols/ncp/Plugin.cc b/src/analyzer/protocols/ncp/Plugin.cc index bc52a2c065..6bfc2b70f6 100644 --- a/src/analyzer/protocols/ncp/Plugin.cc +++ b/src/analyzer/protocols/ncp/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(NCP) BRO_PLUGIN_DESCRIPTION("NCP Analyzer"); - BRO_PLUGIN_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NCP", ncp::NCP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NCP"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ncp/events.bif b/src/analyzer/protocols/ncp/events.bif index e69de29bb2..9b5b7d77a7 100644 --- a/src/analyzer/protocols/ncp/events.bif +++ b/src/analyzer/protocols/ncp/events.bif @@ -0,0 +1,46 @@ +## Generated for NCP requests (Netware Core Protocol). +## +## See `Wikipedia `__ for +## more information about the NCP protocol. +## +## c: The connection. +## +## frame_type: The frame type, as specified by the protocol. +## +## length: The length of the request body, excluding the frame header. +## +## func: The requested function, as specified by the protocol. +## +## .. bro:see:: ncp_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ncp_request%(c: connection, frame_type: count, length: count, func: count%); + +## Generated for NCP replies (Netware Core Protocol). +## +## See `Wikipedia `__ for +## more information about the NCP protocol. +## +## c: The connection. +## +## frame_type: The frame type, as specified by the protocol. +## +## length: The length of the request body, excluding the frame header. +## +## req_frame: The frame type from the corresponding request. +## +## req_func: The function code from the corresponding request. +## +## completion_code: The reply's completion code, as specified by the protocol. +## +## .. bro:see:: ncp_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%); + diff --git a/src/analyzer/protocols/ncp/ncp.pac b/src/analyzer/protocols/ncp/ncp.pac index 86b8bca5da..d4d5734a54 100644 --- a/src/analyzer/protocols/ncp/ncp.pac +++ b/src/analyzer/protocols/ncp/ncp.pac @@ -2,6 +2,10 @@ %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer NCP withcontext {}; type ncp_request(length: uint32) = record { diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc index fd3a4f6111..01544c4b2c 100644 --- a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc +++ b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc @@ -9,6 +9,10 @@ #include "Sessions.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::netbios_ssn; + double netbios_ssn_session_timeout = 15.0; #define MAKE_INT16(dest, src) dest = *src; dest <<=8; src++; dest |= *src; src++; @@ -44,7 +48,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len) NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(analyzer::Analyzer* arg_analyzer, - SMB_Session* arg_smb_session) + smb::SMB_Session* arg_smb_session) { analyzer = arg_analyzer; smb_session = arg_smb_session; @@ -340,7 +344,7 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data, Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig, NetbiosSSN_Interpreter* arg_interp) -: TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) { interp = arg_interp; type = flags = msg_size = 0; @@ -365,7 +369,7 @@ void Contents_NetbiosSSN::Flush() void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); if ( state == NETBIOS_SSN_TYPE ) { @@ -455,9 +459,9 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) } NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("NETBIOS", conn) +: tcp::TCP_ApplicationAnalyzer("NETBIOS", conn) { - smb_session = new SMB_Session(this); + smb_session = new smb::SMB_Session(this); interp = new NetbiosSSN_Interpreter(this, smb_session); orig_netbios = resp_netbios = 0; did_session_done = 0; @@ -485,7 +489,7 @@ NetbiosSSN_Analyzer::~NetbiosSSN_Analyzer() void NetbiosSSN_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->Timeout(); if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done ) @@ -496,15 +500,15 @@ void NetbiosSSN_Analyzer::Done() void NetbiosSSN_Analyzer::EndpointEOF(bool orig) { - TCP_ApplicationAnalyzer::EndpointEOF(orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); (orig ? orig_netbios : resp_netbios)->Flush(); } -void NetbiosSSN_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, - TCP_Endpoint* peer, int gen_event) +void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, + tcp::TCP_Endpoint* peer, int gen_event) { - TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); + tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); // Question: Why do we flush *both* endpoints upon connection close? // orig_netbios->Flush(); @@ -514,7 +518,7 @@ void NetbiosSSN_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); if ( orig ) interp->ParseMessageUDP(data, len, 1); diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h index 9830d192ad..df065c4348 100644 --- a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h +++ b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h @@ -7,6 +7,8 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/smb/SMB.h" +namespace analyzer { namespace netbios_ssn { + typedef enum { NETBIOS_SSN_MSG = 0x0, NETBIOS_DGM_DIRECT_UNIQUE = 0x10, @@ -62,7 +64,7 @@ struct NetbiosDGM_RawMsgHdr { class NetbiosSSN_Interpreter { public: - NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer, SMB_Session* smb_session); + NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer, smb::SMB_Session* smb_session); int ParseMessage(unsigned int type, unsigned int flags, const u_char* data, int len, int is_query); @@ -73,17 +75,6 @@ public: void Timeout() { } - static bool any_netbios_ssn_event() - { - return netbios_session_message || - netbios_session_request || - netbios_session_accepted || - netbios_session_rejected || - netbios_session_raw_message || - netbios_session_ret_arg_resp || - netbios_session_keepalive; - } - protected: int ParseSessionMsg(const u_char* data, int len, int is_query); int ParseSessionReq(const u_char* data, int len, int is_query); @@ -109,7 +100,7 @@ protected: protected: analyzer::Analyzer* analyzer; - SMB_Session* smb_session; + smb::SMB_Session* smb_session; }; @@ -122,7 +113,7 @@ typedef enum { } NetbiosSSN_State; // ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS. -class Contents_NetbiosSSN : public TCP_SupportAnalyzer { +class Contents_NetbiosSSN : public tcp::TCP_SupportAnalyzer { public: Contents_NetbiosSSN(Connection* conn, bool orig, NetbiosSSN_Interpreter* interp); @@ -148,7 +139,7 @@ protected: NetbiosSSN_State state; }; -class NetbiosSSN_Analyzer : public TCP_ApplicationAnalyzer { +class NetbiosSSN_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: NetbiosSSN_Analyzer(Connection* conn); ~NetbiosSSN_Analyzer(); @@ -161,14 +152,14 @@ public: { return new NetbiosSSN_Analyzer(conn); } protected: - virtual void ConnectionClosed(TCP_Endpoint* endpoint, - TCP_Endpoint* peer, int gen_event); + virtual void ConnectionClosed(tcp::TCP_Endpoint* endpoint, + tcp::TCP_Endpoint* peer, int gen_event); virtual void EndpointEOF(bool is_orig); void ExpireTimer(double t); NetbiosSSN_Interpreter* interp; - SMB_Session* smb_session; + smb::SMB_Session* smb_session; Contents_NetbiosSSN* orig_netbios; Contents_NetbiosSSN* resp_netbios; int did_session_done; @@ -177,4 +168,6 @@ protected: // FIXME: Doesn't really fit into new analyzer structure. What to do? int IsReuse(double t, const u_char* pkt); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/netbios-ssn/Plugin.cc b/src/analyzer/protocols/netbios-ssn/Plugin.cc index b14c3a9d8f..8ed7824634 100644 --- a/src/analyzer/protocols/netbios-ssn/Plugin.cc +++ b/src/analyzer/protocols/netbios-ssn/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(NetbiosSSN) BRO_PLUGIN_DESCRIPTION("NetbiosSSN Analyzer"); - BRO_PLUGIN_ANALYZER("NetbiosSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NetbiosSSN", netbios_ssn::NetbiosSSN_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/netbios-ssn/events.bif b/src/analyzer/protocols/netbios-ssn/events.bif index e69de29bb2..bf382e1663 100644 --- a/src/analyzer/protocols/netbios-ssn/events.bif +++ b/src/analyzer/protocols/netbios-ssn/events.bif @@ -0,0 +1,209 @@ +## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## msg_type: The general type of message, as defined in Section 4.3.1 of +## `RFC 1002 `__. +## +## data_len: The length of the message's payload. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_raw_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); + +## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS +## analyzer processes the NetBIOS session service running on TCP port 139, and +## (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_raw_message netbios_session_rejected +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_request%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *positive session response*. Bro's +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_keepalive netbios_session_message +## netbios_session_raw_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_accepted%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *negative session response*. Bro's +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_raw_message netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_rejected%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *session message* that are not +## carrying an SMB payload. +## +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header (i.e., the ``user_data``). +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: This is an oddly named event. In fact, it's probably an odd event +## to have to begin with. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); + +## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS +## analyzer processes the NetBIOS session service running on TCP port 139, and +## (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_raw_message netbios_session_rejected +## netbios_session_request decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: This is an oddly named event. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_ret_arg_resp%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_message +## netbios_session_raw_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_keepalive%(c: connection, msg: string%); + diff --git a/src/analyzer/protocols/netflow/CMakeLists.txt b/src/analyzer/protocols/netflow/CMakeLists.txt new file mode 100644 index 0000000000..c45f410b26 --- /dev/null +++ b/src/analyzer/protocols/netflow/CMakeLists.txt @@ -0,0 +1,16 @@ + +# This is not an actual analyzer, but used by the core. We still +# maintain it here along with the other analyzers because conceptually +# it's also parsing a protocol just like them. The current structure +# is merely a left-over from when this code was written. + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NetFlow) +bro_plugin_cc(Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(netflow.pac netflow-protocol.pac netflow-analyzer.pac) +bro_plugin_end() + diff --git a/src/analyzer/protocols/netflow/Plugin.cc b/src/analyzer/protocols/netflow/Plugin.cc new file mode 100644 index 0000000000..f7c36e943a --- /dev/null +++ b/src/analyzer/protocols/netflow/Plugin.cc @@ -0,0 +1,7 @@ + +#include "plugin/Plugin.h" + +BRO_PLUGIN_BEGIN(NetFlow) + BRO_PLUGIN_DESCRIPTION("NetFlow Parsing Code"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/netflow/events.bif b/src/analyzer/protocols/netflow/events.bif new file mode 100644 index 0000000000..69c196de9e --- /dev/null +++ b/src/analyzer/protocols/netflow/events.bif @@ -0,0 +1,18 @@ +## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow header on the port it's +## listening on, or reads one from a trace file. +## +## h: The parsed NetFlow header. +## +## .. bro:see:: netflow_v5_record +event netflow_v5_header%(h: nf_v5_header%); + +## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow record on the port it's +## listening on, or reads one from a trace file. +## +## r: The parsed NetFlow record. +## +## .. bro:see:: netflow_v5_record +event netflow_v5_record%(r: nf_v5_record%); + diff --git a/src/netflow-analyzer.pac b/src/analyzer/protocols/netflow/netflow-analyzer.pac similarity index 100% rename from src/netflow-analyzer.pac rename to src/analyzer/protocols/netflow/netflow-analyzer.pac diff --git a/src/netflow-protocol.pac b/src/analyzer/protocols/netflow/netflow-protocol.pac similarity index 100% rename from src/netflow-protocol.pac rename to src/analyzer/protocols/netflow/netflow-protocol.pac diff --git a/src/netflow.pac b/src/analyzer/protocols/netflow/netflow.pac similarity index 88% rename from src/netflow.pac rename to src/analyzer/protocols/netflow/netflow.pac index 91040aadeb..57e1b71a76 100644 --- a/src/netflow.pac +++ b/src/analyzer/protocols/netflow/netflow.pac @@ -4,6 +4,8 @@ #include "net_util.h" #include "Event.h" extern RecordType* conn_id; + +#include "events.bif.h" %} %include bro.pac diff --git a/src/analyzer/protocols/ntp/NTP.cc b/src/analyzer/protocols/ntp/NTP.cc index 729edee923..b4b63d5634 100644 --- a/src/analyzer/protocols/ntp/NTP.cc +++ b/src/analyzer/protocols/ntp/NTP.cc @@ -7,6 +7,9 @@ #include "Sessions.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::ntp; NTP_Analyzer::NTP_Analyzer(Connection* conn) : Analyzer("NTP", conn) diff --git a/src/analyzer/protocols/ntp/NTP.h b/src/analyzer/protocols/ntp/NTP.h index d161b4795d..2c989da4d1 100644 --- a/src/analyzer/protocols/ntp/NTP.h +++ b/src/analyzer/protocols/ntp/NTP.h @@ -5,12 +5,13 @@ #include "analyzer/protocols/udp/UDP.h" - // The following are from the tcpdump distribution, credited there // to the U of MD implementation. #define JAN_1970 2208988800.0 /* 1970 - 1900 in seconds */ +namespace analyzer { namespace ntp { + struct l_fixedpt { unsigned int int_part; unsigned int fraction; @@ -63,4 +64,6 @@ protected: void ExpireTimer(double t); }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ntp/Plugin.cc b/src/analyzer/protocols/ntp/Plugin.cc index f2a0e487c9..8331c25dee 100644 --- a/src/analyzer/protocols/ntp/Plugin.cc +++ b/src/analyzer/protocols/ntp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(NTP) BRO_PLUGIN_DESCRIPTION("NTP Analyzer"); - BRO_PLUGIN_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NTP", ntp::NTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ntp/events.bif b/src/analyzer/protocols/ntp/events.bif index e69de29bb2..bba2dfbbe5 100644 --- a/src/analyzer/protocols/ntp/events.bif +++ b/src/analyzer/protocols/ntp/events.bif @@ -0,0 +1,21 @@ +## Generated for all NTP messages. Different from many other of Bro's events, +## this one is generated for both client-side and server-side messages. +## +## See `Wikipedia `__ for +## more information about the NTP protocol. +## +## u: The connection record describing the corresponding UDP flow. +## +## msg: The parsed NTP message. +## +## excess: The raw bytes of any optional parts of the NTP packet. Bro does not +## further parse any optional fields. +## +## .. bro:see:: ntp_session_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ntp_message%(u: connection, msg: ntp_msg, excess: string%); + diff --git a/src/analyzer/protocols/pia/PIA.cc b/src/analyzer/protocols/pia/PIA.cc index eb21fc7331..d5defc018e 100644 --- a/src/analyzer/protocols/pia/PIA.cc +++ b/src/analyzer/protocols/pia/PIA.cc @@ -2,6 +2,10 @@ #include "RuleMatcher.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::pia; + PIA::PIA(analyzer::Analyzer* arg_as_analyzer) { current_packet.data = 0; @@ -163,11 +167,11 @@ PIA_TCP::~PIA_TCP() void PIA_TCP::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); if ( Parent()->IsAnalyzer("TCP") ) { - TCP_Analyzer* tcp = static_cast(Parent()); + tcp::TCP_Analyzer* tcp = static_cast(Parent()); SetTCP(tcp); tcp->SetPIA(this); } @@ -223,7 +227,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip) void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( stream_buffer.state == SKIPPING ) return; @@ -253,7 +257,7 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig) void PIA_TCP::Undelivered(int seq, int len, bool is_orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); if ( stream_buffer.state == BUFFERING ) // We use data=nil to mark an undelivered. @@ -294,7 +298,7 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) // // Here's what we do: // - // (1) We create new TCP_Reassemblers and feed them the buffered + // (1) We create new tcp::TCP_Reassemblers and feed them the buffered // packets. // // (2) The reassembler will give us their results via the @@ -322,14 +326,14 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) return; } - TCP_Analyzer* tcp = (TCP_Analyzer*) Parent(); + tcp::TCP_Analyzer* tcp = (tcp::TCP_Analyzer*) Parent(); - TCP_Reassembler* reass_orig = - new TCP_Reassembler(this, tcp, TCP_Reassembler::Direct, + tcp::TCP_Reassembler* reass_orig = + new tcp::TCP_Reassembler(this, tcp, tcp::TCP_Reassembler::Direct, true, tcp->Orig()); - TCP_Reassembler* reass_resp = - new TCP_Reassembler(this, tcp, TCP_Reassembler::Direct, + tcp::TCP_Reassembler* reass_resp = + new tcp::TCP_Reassembler(this, tcp, tcp::TCP_Reassembler::Direct, false, tcp->Resp()); int orig_seq = 0; @@ -365,8 +369,8 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) reass_orig->AckReceived(orig_seq); reass_resp->AckReceived(resp_seq); - reass_orig->SetType(TCP_Reassembler::Forward); - reass_resp->SetType(TCP_Reassembler::Forward); + reass_orig->SetType(tcp::TCP_Reassembler::Forward); + reass_resp->SetType(tcp::TCP_Reassembler::Forward); tcp->SetReassembler(reass_orig, reass_resp); } diff --git a/src/analyzer/protocols/pia/PIA.h b/src/analyzer/protocols/pia/PIA.h index a91a516165..1d788d39a6 100644 --- a/src/analyzer/protocols/pia/PIA.h +++ b/src/analyzer/protocols/pia/PIA.h @@ -8,6 +8,8 @@ class RuleEndpointState; +namespace analyzer { namespace pia { + // Abstract PIA class providing common functionality for both TCP and UDP. // Accepts only packet input. // @@ -115,10 +117,10 @@ protected: // PIA for TCP. Accepts both packet and stream input (and reassembles // packets before passing payload on to children). -class PIA_TCP : public PIA, public TCP_ApplicationAnalyzer { +class PIA_TCP : public PIA, public tcp::TCP_ApplicationAnalyzer { public: PIA_TCP(Connection* conn) - : PIA(this), TCP_ApplicationAnalyzer("PIA_TCP", conn) + : PIA(this), tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn) { stream_mode = false; SetConn(conn); } virtual ~PIA_TCP(); @@ -169,4 +171,6 @@ private: bool stream_mode; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/pia/Plugin.cc b/src/analyzer/protocols/pia/Plugin.cc index a62e757164..2d56f80038 100644 --- a/src/analyzer/protocols/pia/Plugin.cc +++ b/src/analyzer/protocols/pia/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(PIA) BRO_PLUGIN_DESCRIPTION("Protocol Identificatin Analyzers"); - BRO_PLUGIN_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("PIA_TCP", pia::PIA_TCP); + BRO_PLUGIN_ANALYZER("PIA_UDP", pia::PIA_UDP); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pop3/POP3.cc b/src/analyzer/protocols/pop3/POP3.cc index 6b4fda8169..7a81da1b5e 100644 --- a/src/analyzer/protocols/pop3/POP3.cc +++ b/src/analyzer/protocols/pop3/POP3.cc @@ -15,6 +15,10 @@ #include "Reporter.h" #include "analyzer/protocols/login/NVT.h" +#include "events.bif.h" + +using namespace analyzer::pop3; + #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) #cmd, @@ -26,7 +30,7 @@ static const char* pop3_cmd_word[] = { POP3_Analyzer::POP3_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("POP3", conn) +: tcp::TCP_ApplicationAnalyzer("POP3", conn) { masterState = POP3_START; subState = POP3_WOK; @@ -41,8 +45,8 @@ POP3_Analyzer::POP3_Analyzer(Connection* conn) mail = 0; - AddSupportAnalyzer(new ContentLine_Analyzer(conn, true)); - AddSupportAnalyzer(new ContentLine_Analyzer(conn, false)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false)); } POP3_Analyzer::~POP3_Analyzer() @@ -51,7 +55,7 @@ POP3_Analyzer::~POP3_Analyzer() void POP3_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( mail ) EndData(); @@ -60,7 +64,7 @@ void POP3_Analyzer::Done() void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); if ( (TCP() && TCP()->IsPartial()) || backOff ) return; @@ -802,7 +806,7 @@ void POP3_Analyzer::AuthSuccessfull() void POP3_Analyzer::BeginData() { delete mail; - mail = new MIME_Mail(this); + mail = new mime::MIME_Mail(this); } void POP3_Analyzer::EndData() diff --git a/src/analyzer/protocols/pop3/POP3.h b/src/analyzer/protocols/pop3/POP3.h index 10dbe9d085..37620c0024 100644 --- a/src/analyzer/protocols/pop3/POP3.h +++ b/src/analyzer/protocols/pop3/POP3.h @@ -11,12 +11,13 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/login/NVT.h" -#include "MIME.h" - +#include "analyzer/protocols/mime/MIME.h" #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) POP3_CMD_##cmd, +namespace analyzer { namespace pop3 { + typedef enum { #include "POP3_cmd.def" } POP3_Cmd; @@ -60,7 +61,7 @@ typedef enum { POP3_WOK, } POP3_SubState; -class POP3_Analyzer : public TCP_ApplicationAnalyzer { +class POP3_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: POP3_Analyzer(Connection* conn); ~POP3_Analyzer(); @@ -103,11 +104,13 @@ protected: void POP3Event(EventHandlerPtr event, bool is_orig, const char* arg1 = 0, const char* arg2 = 0); - MIME_Mail* mail; + mime::MIME_Mail* mail; list cmds; private: bool backOff; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/pop3/Plugin.cc b/src/analyzer/protocols/pop3/Plugin.cc index 5f56ade93a..056cb36682 100644 --- a/src/analyzer/protocols/pop3/Plugin.cc +++ b/src/analyzer/protocols/pop3/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(POP3) BRO_PLUGIN_DESCRIPTION("POP3 Analyzer"); - BRO_PLUGIN_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("POP3", pop3::POP3_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pop3/events.bif b/src/analyzer/protocols/pop3/events.bif index e69de29bb2..7692c61f6b 100644 --- a/src/analyzer/protocols/pop3/events.bif +++ b/src/analyzer/protocols/pop3/events.bif @@ -0,0 +1,172 @@ +## Generated for client-side commands on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## command: The command sent. +## +## arg: The argument to the command. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply +## pop3_terminate pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_request%(c: connection, is_orig: bool, + command: string, arg: string%); + +## Generated for server-side replies to commands on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## cmd: The success indicator sent by the server. This corresponds to the +## first token on the line sent, and should be either ``OK`` or ``ERR``. +## +## msg: The textual description the server sent along with *cmd*. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request +## pop3_terminate pop3_unexpected +## +## .. todo:: This event is receiving odd parameters, should unify. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); + +## Generated for server-side multi-line responses on POP3 connections. POP3 +## connections use multi-line responses to send bulk data, such as the actual +## mails. This event is generated once for each line that's part of such a +## response. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the data was sent by the originator of the TCP connection. +## +## data: The data sent. +## +## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request +## pop3_terminate pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_data%(c: connection, is_orig: bool, data: string%); + +## Generated for errors encountered on POP3 sessions. If the POP3 analyzer +## finds state transitions that do not conform to the protocol specification, +## or other situations it can't handle, it raises this event. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the data was sent by the originator of the TCP connection. +## +## msg: A textual description of the situation. +## +## detail: The input that triggered the event. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request +## pop3_terminate +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_unexpected%(c: connection, is_orig: bool, + msg: string, detail: string%); + +## Generated when a POP3 connection goes encrypted. While POP3 is by default a +## clear-text protocol, extensions exist to switch to encryption. This event is +## generated if that happens and the analyzer then stops processing the +## connection. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## msg: A descriptive message why processing was stopped. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request +## pop3_unexpected +## +## .. note:: Currently, only the ``STARTLS`` command is recognized and +## triggers this. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_terminate%(c: connection, is_orig: bool, msg: string%); + +## Generated for successful authentications on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## user: The user name used for authentication. The event is only generated if +## a non-empty user name was used. +## +## password: The password used for authentication. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request pop3_terminate +## pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_login_success%(c: connection, is_orig: bool, + user: string, password: string%); + +## Generated for unsuccessful authentications on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## user: The user name attempted for authentication. The event is only +## generated if a non-empty user name was used. +## +## password: The password attempted for authentication. +## +## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request pop3_terminate +## pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_login_failure%(c: connection, is_orig: bool, + user: string, password: string%); + diff --git a/src/analyzer/protocols/rpc/NFS.cc b/src/analyzer/protocols/rpc/NFS.cc index 461ac44c4f..51d1b90691 100644 --- a/src/analyzer/protocols/rpc/NFS.cc +++ b/src/analyzer/protocols/rpc/NFS.cc @@ -9,6 +9,10 @@ #include "NFS.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::rpc; + int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { if ( c->Program() != 100003 ) diff --git a/src/analyzer/protocols/rpc/NFS.h b/src/analyzer/protocols/rpc/NFS.h index 18acff4b37..e9e978eaa2 100644 --- a/src/analyzer/protocols/rpc/NFS.h +++ b/src/analyzer/protocols/rpc/NFS.h @@ -7,6 +7,8 @@ #include "XDR.h" #include "Event.h" +namespace analyzer { namespace rpc { + class NFS_Interp : public RPC_Interpreter { public: NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } @@ -80,4 +82,6 @@ public: }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/Plugin.cc b/src/analyzer/protocols/rpc/Plugin.cc index 25c958859b..23f5d0e667 100644 --- a/src/analyzer/protocols/rpc/Plugin.cc +++ b/src/analyzer/protocols/rpc/Plugin.cc @@ -7,8 +7,8 @@ BRO_PLUGIN_BEGIN(RPC) BRO_PLUGIN_DESCRIPTION("Analyzers for RPC-based protocols"); - BRO_PLUGIN_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NFS", rpc::NFS_Analyzer); + BRO_PLUGIN_ANALYZER("PORTMAPPER", rpc::Portmapper_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_RPC"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NFS"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocols/rpc/Portmap.cc b/src/analyzer/protocols/rpc/Portmap.cc index 9bebd0f8a6..f57d9a915c 100644 --- a/src/analyzer/protocols/rpc/Portmap.cc +++ b/src/analyzer/protocols/rpc/Portmap.cc @@ -7,6 +7,10 @@ #include "Portmap.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::rpc; + #define PMAPPROC_NULL 0 #define PMAPPROC_SET 1 #define PMAPPROC_UNSET 2 diff --git a/src/analyzer/protocols/rpc/Portmap.h b/src/analyzer/protocols/rpc/Portmap.h index bf7ab30891..6aa1173f02 100644 --- a/src/analyzer/protocols/rpc/Portmap.h +++ b/src/analyzer/protocols/rpc/Portmap.h @@ -5,6 +5,8 @@ #include "RPC.h" +namespace analyzer { namespace rpc { + class PortmapperInterp : public RPC_Interpreter { public: PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } @@ -33,4 +35,6 @@ public: { return new Portmapper_Analyzer(conn); } }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/RPC.cc b/src/analyzer/protocols/rpc/RPC.cc index 2dd11c215e..ea037c227f 100644 --- a/src/analyzer/protocols/rpc/RPC.cc +++ b/src/analyzer/protocols/rpc/RPC.cc @@ -11,6 +11,10 @@ #include "RPC.h" #include "Sessions.h" +#include "events.bif.h" + +using namespace analyzer::rpc; + namespace { // local namespace const bool DEBUG_rpc_resync = false; } @@ -373,7 +377,7 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len) Contents_RPC::Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* arg_interp) - : TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) + : tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) { interp = arg_interp; state = WAIT_FOR_MESSAGE; @@ -385,7 +389,7 @@ Contents_RPC::Contents_RPC(Connection* conn, bool orig, void Contents_RPC::Init() { - TCP_SupportAnalyzer::Init(); + tcp::TCP_SupportAnalyzer::Init(); } Contents_RPC::~Contents_RPC() @@ -394,7 +398,7 @@ Contents_RPC::~Contents_RPC() void Contents_RPC::Undelivered(int seq, int len, bool orig) { - TCP_SupportAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); NeedResync(); } @@ -413,12 +417,12 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) // is fully established we are in sync (since it's the first chunk // of data after the SYN if its not established we need to // resync. - TCP_Analyzer* tcp = - static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = + static_cast(Parent())->TCP(); assert(tcp); if ( (IsOrig() ? tcp->OrigState() : tcp->RespState()) != - TCP_ENDPOINT_ESTABLISHED ) + tcp::TCP_ENDPOINT_ESTABLISHED ) { NeedResync(); } @@ -578,7 +582,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); uint32 marker; bool last_frag; @@ -675,7 +679,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) RPC_Analyzer::RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp) -: TCP_ApplicationAnalyzer(name, conn) +: tcp::TCP_ApplicationAnalyzer(name, conn) { interp = arg_interp; @@ -692,7 +696,7 @@ RPC_Analyzer::~RPC_Analyzer() void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); len = min(len, caplen); if ( orig ) @@ -709,7 +713,7 @@ void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void RPC_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->Timeout(); } diff --git a/src/analyzer/protocols/rpc/RPC.h b/src/analyzer/protocols/rpc/RPC.h index da39e9f220..504f2eb194 100644 --- a/src/analyzer/protocols/rpc/RPC.h +++ b/src/analyzer/protocols/rpc/RPC.h @@ -6,6 +6,8 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/udp/UDP.h" +namespace analyzer { namespace rpc { + enum { RPC_CALL = 0, RPC_REPLY = 1, @@ -176,7 +178,7 @@ protected: }; /* Support Analyzer for reassembling RPC-over-TCP messages */ -class Contents_RPC : public TCP_SupportAnalyzer { +class Contents_RPC : public tcp::TCP_SupportAnalyzer { public: Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* interp); virtual ~Contents_RPC(); @@ -222,7 +224,7 @@ protected: int resync_toskip; }; -class RPC_Analyzer : public TCP_ApplicationAnalyzer { +class RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp); @@ -242,4 +244,6 @@ protected: Contents_RPC* resp_rpc; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/XDR.cc b/src/analyzer/protocols/rpc/XDR.cc index 96d855ddbd..981a982716 100644 --- a/src/analyzer/protocols/rpc/XDR.cc +++ b/src/analyzer/protocols/rpc/XDR.cc @@ -6,7 +6,11 @@ #include "XDR.h" -uint32 extract_XDR_uint32(const u_char*& buf, int& len) +#include "events.bif.h" + +using namespace analyzer::rpc; + +uint32 analyzer::rpc::extract_XDR_uint32(const u_char*& buf, int& len) { if ( ! buf ) return 0; @@ -26,7 +30,7 @@ uint32 extract_XDR_uint32(const u_char*& buf, int& len) return bits32; } -uint64 extract_XDR_uint64(const u_char*& buf, int& len) +uint64 analyzer::rpc::extract_XDR_uint64(const u_char*& buf, int& len) { if ( ! buf || len < 8 ) { @@ -40,7 +44,7 @@ uint64 extract_XDR_uint64(const u_char*& buf, int& len) return (uhi << 32) + ulo; } -double extract_XDR_time(const u_char*& buf, int& len) +double analyzer::rpc::extract_XDR_time(const u_char*& buf, int& len) { if ( ! buf || len < 8 ) { @@ -54,7 +58,7 @@ double extract_XDR_time(const u_char*& buf, int& len) return double(uhi) + double(ulo) / 1e9; } -const u_char* extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_len, bool short_buf_ok) +const u_char* analyzer::rpc::extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_len, bool short_buf_ok) { n = int(extract_XDR_uint32(buf, len)); if ( ! buf ) @@ -78,7 +82,7 @@ const u_char* extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_l return opaque; } -const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n) +const u_char* analyzer::rpc::extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n) { if ( ! buf ) return 0; @@ -97,7 +101,7 @@ const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n) } -uint32 skip_XDR_opaque_auth(const u_char*& buf, int& len) +uint32 analyzer::rpc::skip_XDR_opaque_auth(const u_char*& buf, int& len) { uint32 auth_flavor = extract_XDR_uint32(buf, len); if ( ! buf ) diff --git a/src/analyzer/protocols/rpc/XDR.h b/src/analyzer/protocols/rpc/XDR.h index 65192d6067..2f4a7d59e4 100644 --- a/src/analyzer/protocols/rpc/XDR.h +++ b/src/analyzer/protocols/rpc/XDR.h @@ -8,6 +8,8 @@ #include "util.h" +namespace analyzer { namespace rpc { + extern uint32 extract_XDR_uint32(const u_char*& buf, int& len); extern uint64 extract_XDR_uint64(const u_char*& buf, int& len); extern double extract_XDR_time(const u_char*& buf, int& len); @@ -16,4 +18,6 @@ extern const u_char* extract_XDR_opaque(const u_char*& buf, int& len, extern const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n); extern uint32 skip_XDR_opaque_auth(const u_char*& buf, int& len); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/events.bif b/src/analyzer/protocols/rpc/events.bif index e69de29bb2..f0050ab446 100644 --- a/src/analyzer/protocols/rpc/events.bif +++ b/src/analyzer/protocols/rpc/events.bif @@ -0,0 +1,728 @@ +## Generated for NFSv3 request/reply dialogues of type *null*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_read nfs_proc_readdir nfs_proc_readlink +## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_null%(c: connection, info: NFS3::info_t%); + +## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## fh: TODO. +## +## attrs: The attributes returned in the reply. The values may not be valid if +## the request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply file_mode +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); + +## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: The arguments passed in the request. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *read*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: The arguments passed in the request. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir +## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply +## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## fh: The file handle passed in the request. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *write*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_reply_status rpc_call +## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only +## NFS3::return_data_max +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *create*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *remove*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink +## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); + +## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 +## analyzer does not implement. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## proc: The procedure called that Bro does not implement. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove +## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); + +## Generated for each NFSv3 reply message received, reporting just the +## status included. +## +## n: The connection. +## +## info: Reports the status included in the reply. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_reply_status%(n: connection, info: NFS3::info_t%); + +## Generated for Portmapper requests of type *null*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_getport pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_null%(r: connection%); + +## Generated for Portmapper request/reply dialogues of type *set*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## m: The argument to the request. +## +## success: True if the request was successful, according to the corresponding +## reply. If no reply was seen, this will be false once the request +## times out. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_getport pm_request_null pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_set%(r: connection, m: pm_mapping, success: bool%); + +## Generated for Portmapper request/reply dialogues of type *unset*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## m: The argument to the request. +## +## success: True if the request was successful, according to the corresponding +## reply. If no reply was seen, this will be false once the request +## times out. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_getport pm_request_null pm_request_set rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); + +## Generated for Portmapper request/reply dialogues of type *getport*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## pr: The argument to the request. +## +## p: The port returned by the server. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); + +## Generated for Portmapper request/reply dialogues of type *dump*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## m: The mappings returned by the server. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_dump%(r: connection, m: pm_mappings%); + +## Generated for Portmapper request/reply dialogues of type *callit*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## call: The argument to the request. +## +## p: The port value returned by the call. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); + +## Generated for failed Portmapper requests of type *null*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_null%(r: connection, status: rpc_status%); + +## Generated for failed Portmapper requests of type *set*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## m: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); + +## Generated for failed Portmapper requests of type *unset*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## m: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); + +## Generated for failed Portmapper requests of type *getport*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## pr: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_null +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%); + +## Generated for failed Portmapper requests of type *dump*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_getport pm_attempt_null +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_dump%(r: connection, status: rpc_status%); + +## Generated for failed Portmapper requests of type *callit*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## call: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_dump pm_attempt_getport pm_attempt_null +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); + +## Generated for Portmapper requests or replies that include an invalid port +## number. Since ports are represented by unsigned 4-byte integers, they can +## stray outside the allowed range of 0--65535 by being >= 65536. If so, this +## event is generated. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## bad_p: The invalid port value. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_request_callit +## pm_request_dump pm_request_getport pm_request_null pm_request_set +## pm_request_unset rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_bad_port%(r: connection, bad_p: count%); + +## Generated for RPC request/reply *pairs*. The RPC analyzer associates request +## and reply by their transaction identifiers and raises this event once both +## have been seen. If there's not a reply, this event will still be generated +## eventually on timeout. In that case, *status* will be set to +## :bro:enum:`RPC_TIMEOUT`. +## +## See `Wikipedia `__ for more information +## about the ONC RPC protocol. +## +## c: The connection. +## +## prog: The remote program to call. +## +## ver: The version of the remote program to call. +## +## proc: The procedure of the remote program to call. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## start_time: The time when the *call* was seen. +## +## call_len: The size of the *call_body* PDU. +## +## reply_len: The size of the *reply_body* PDU. +## +## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); + +## Generated for RPC *call* messages. +## +## See `Wikipedia `__ for more information +## about the ONC RPC protocol. +## +## c: The connection. +## +## xid: The transaction identifier allowing to match requests with replies. +## +## prog: The remote program to call. +## +## ver: The version of the remote program to call. +## +## proc: The procedure of the remote program to call. +## +## call_len: The size of the *call_body* PDU. +## +## .. bro:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); + +## Generated for RPC *reply* messages. +## +## See `Wikipedia `__ for more information +## about the ONC RPC protocol. +## +## c: The connection. +## +## xid: The transaction identifier allowing to match requests with replies. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## reply_len: The size of the *reply_body* PDU. +## +## .. bro:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); diff --git a/src/analyzer/protocols/smb/Plugin.cc b/src/analyzer/protocols/smb/Plugin.cc index 543638faf4..2f83460984 100644 --- a/src/analyzer/protocols/smb/Plugin.cc +++ b/src/analyzer/protocols/smb/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(SMB) BRO_PLUGIN_DESCRIPTION("SMB Analyzer"); - BRO_PLUGIN_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SMB", smb::SMB_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_SMB"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/smb/SMB.cc b/src/analyzer/protocols/smb/SMB.cc index 24cbf2dc1a..798e2bfd1f 100644 --- a/src/analyzer/protocols/smb/SMB.cc +++ b/src/analyzer/protocols/smb/SMB.cc @@ -6,6 +6,10 @@ #include "Val.h" #include "Reporter.h" +#include "events.bif.h" + +using namespace analyzer::smb; + namespace { const bool DEBUG_smb_ipc = true; } @@ -1093,7 +1097,7 @@ bool SMB_Session::CheckRPC(int is_orig, int data_count, const u_char *data) if ( LooksLikeRPC(data_count, data) ) { if ( ! dce_rpc_session ) - dce_rpc_session = new DCE_RPC_Session(analyzer); + dce_rpc_session = new dce_rpc::DCE_RPC_Session(analyzer); dce_rpc_session->DeliverPDU(is_orig, data_count, data); @@ -1104,7 +1108,7 @@ bool SMB_Session::CheckRPC(int is_orig, int data_count, const u_char *data) } Contents_SMB::Contents_SMB(Connection* conn, bool orig, SMB_Session* s) -: TCP_SupportAnalyzer("CONTENTS_SMB", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_SMB", conn, orig) { smb_session = s; msg_buf = 0; @@ -1145,7 +1149,7 @@ void Contents_SMB::DeliverSMB(int len, const u_char* data) void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); while ( len > 0 ) { @@ -1221,7 +1225,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig) } SMB_Analyzer::SMB_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("SMB", conn) +: tcp::TCP_ApplicationAnalyzer("SMB", conn) { smb_session = new SMB_Session(this); o_smb = new Contents_SMB(conn, true, smb_session); diff --git a/src/analyzer/protocols/smb/SMB.h b/src/analyzer/protocols/smb/SMB.h index 83f3811010..0b67c96710 100644 --- a/src/analyzer/protocols/smb/SMB.h +++ b/src/analyzer/protocols/smb/SMB.h @@ -10,6 +10,8 @@ #include "analyzer/protocols/dce-rpc/DCE_RPC.h" #include "smb_pac.h" +namespace analyzer { namespace smb { + enum IPC_named_pipe { IPC_NONE, IPC_LOCATOR, @@ -44,15 +46,6 @@ public: void Deliver(int is_orig, int len, const u_char* msg); - static bool any_smb_event() - { - return smb_message || - smb_com_tree_connect_andx || - smb_com_nt_create_andx || smb_com_transaction || - smb_com_transaction2 || smb_com_read_andx || - smb_com_write_andx; - } - protected: void ParseMessage(int is_orig, int cmd, binpac::SMB::SMB_header const &hdr, @@ -159,7 +152,7 @@ protected: Val* BuildTransactionDataVal(binpac::SMB::SMB_transaction_data* data); analyzer::Analyzer* analyzer; - DCE_RPC_Session* dce_rpc_session; + dce_rpc::DCE_RPC_Session* dce_rpc_session; enum IPC_named_pipe IPC_pipe; int is_IPC; int req_cmd; @@ -170,7 +163,7 @@ protected: binpac::SMB::SMB_andx* andx_[2]; }; -class Contents_SMB : public TCP_SupportAnalyzer { +class Contents_SMB : public tcp::TCP_SupportAnalyzer { public: Contents_SMB(Connection* conn, bool orig, SMB_Session* smb_session); ~Contents_SMB(); @@ -190,7 +183,7 @@ protected: int buf_len; // size off msg_buf }; -class SMB_Analyzer : public TCP_ApplicationAnalyzer { +class SMB_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SMB_Analyzer(Connection* conn); ~SMB_Analyzer(); @@ -204,4 +197,6 @@ protected: Contents_SMB* r_smb; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/smb/events.bif b/src/analyzer/protocols/smb/events.bif index e69de29bb2..74cb1feb77 100644 --- a/src/analyzer/protocols/smb/events.bif +++ b/src/analyzer/protocols/smb/events.bif @@ -0,0 +1,495 @@ +## Generated for all SMB/CIFS messages. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## is_orig: True if the message was sent by the originator of the underlying +## transport-level connection. +## +## cmd: A string mnemonic of the SMB command code. +## +## body_length: The length of the SMB message body, i.e. the data starting after +## the SMB header. +## +## body: The raw SMB message body, i.e., the data starting after the SMB header. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error +## smb_get_dfs_referral +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%); + +## Generated for SMB/CIFS messages of type *tree connect andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## path: The ``path`` attribute specified in the message. +## +## service: The ``service`` attribute specified in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%); + +## Generated for SMB/CIFS messages of type *tree disconnect*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *nt create andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## name: The ``name`` attribute specified in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); + +## Generated for SMB/CIFS messages of type *nt transaction*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe +## smb_com_trans_rap smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *nt transaction 2*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe +## smb_com_trans_rap smb_com_transaction smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *transaction mailslot*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *transaction rap*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error +## smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *transaction pipe*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *read andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## data: Always empty. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); + +## Generated for SMB/CIFS messages of type *read andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## data: Always empty. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_error +## smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); + +## Generated for SMB/CIFS messages of type *get dfs referral*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## max_referral_level: The ``max_referral_level`` attribute specified in the +## message. +## +## file_name: The ``filene_name`` attribute specified in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%); + +## Generated for SMB/CIFS messages of type *negotiate*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx +## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction +## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect +## smb_com_write_andx smb_error smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_negotiate%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *negotiate response*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## dialect_index: The ``dialect`` indicated in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx +## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction +## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect +## smb_com_write_andx smb_error smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%); + +## Generated for SMB/CIFS messages of type *setup andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *generic andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_logoff_andx smb_com_negotiate +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *close*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_generic_andx smb_com_logoff_andx smb_com_negotiate +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_close%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *logoff andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_negotiate +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages that indicate an error. This event is +## triggered by an SMB header including a status that signals an error. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## cmd: The SMB command code. +## +## cmd_str: A string mnemonic of the SMB command code. +## +## data: The raw SMB message body, i.e., the data starting after the SMB header. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx +## smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%); + diff --git a/src/analyzer/protocols/smb/smb.pac b/src/analyzer/protocols/smb/smb.pac index 740ad47991..1fdab27d90 100644 --- a/src/analyzer/protocols/smb/smb.pac +++ b/src/analyzer/protocols/smb/smb.pac @@ -1,6 +1,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer SMB withcontext { }; %include smb-protocol.pac diff --git a/src/analyzer/protocols/smtp/Plugin.cc b/src/analyzer/protocols/smtp/Plugin.cc index 6b9f7a0aeb..8a5095381d 100644 --- a/src/analyzer/protocols/smtp/Plugin.cc +++ b/src/analyzer/protocols/smtp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SMTP) BRO_PLUGIN_DESCRIPTION("SMTP Analyzer"); - BRO_PLUGIN_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SMTP", smtp::SMTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/smtp/SMTP.cc b/src/analyzer/protocols/smtp/SMTP.cc index c674c120ec..7bbb7ec69e 100644 --- a/src/analyzer/protocols/smtp/SMTP.cc +++ b/src/analyzer/protocols/smtp/SMTP.cc @@ -10,6 +10,10 @@ #include "Reporter.h" #include "analyzer/protocols/tcp/ContentLine.h" +#include "events.bif.h" + +using namespace analyzer::smtp; + #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) #cmd, @@ -21,7 +25,7 @@ static const char* smtp_cmd_word[] = { SMTP_Analyzer::SMTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("SMTP", conn) +: tcp::TCP_ApplicationAnalyzer("SMTP", conn) { expect_sender = 0; expect_recver = 1; @@ -40,12 +44,12 @@ SMTP_Analyzer::SMTP_Analyzer(Connection* conn) line_after_gap = 0; mail = 0; UpdateState(first_cmd, 0); - ContentLine_Analyzer* cl_orig = new ContentLine_Analyzer(conn, true); + tcp::ContentLine_Analyzer* cl_orig = new tcp::ContentLine_Analyzer(conn, true); cl_orig->SetIsNULSensitive(true); cl_orig->SetSkipPartial(true); AddSupportAnalyzer(cl_orig); - ContentLine_Analyzer* cl_resp = new ContentLine_Analyzer(conn, false); + tcp::ContentLine_Analyzer* cl_resp = new tcp::ContentLine_Analyzer(conn, false); cl_resp->SetIsNULSensitive(true); cl_resp->SetSkipPartial(true); AddSupportAnalyzer(cl_resp); @@ -53,7 +57,7 @@ SMTP_Analyzer::SMTP_Analyzer(Connection* conn) void SMTP_Analyzer::ConnectionFinished(int half_finished) { - TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); + tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); if ( ! half_finished && mail ) EndData(); @@ -66,7 +70,7 @@ SMTP_Analyzer::~SMTP_Analyzer() void SMTP_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( mail ) EndData(); @@ -74,7 +78,7 @@ void SMTP_Analyzer::Done() void SMTP_Analyzer::Undelivered(int seq, int len, bool is_orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); if ( len <= 0 ) return; @@ -107,7 +111,7 @@ void SMTP_Analyzer::Undelivered(int seq, int len, bool is_orig) void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); // NOTE: do not use IsOrig() here, because of TURN command. int is_sender = orig_is_sender ? orig : ! orig; @@ -868,7 +872,7 @@ void SMTP_Analyzer::BeginData() delete mail; } - mail = new MIME_Mail(this); + mail = new mime::MIME_Mail(this); } void SMTP_Analyzer::EndData() diff --git a/src/analyzer/protocols/smtp/SMTP.h b/src/analyzer/protocols/smtp/SMTP.h index d525fb11af..02322f09c7 100644 --- a/src/analyzer/protocols/smtp/SMTP.h +++ b/src/analyzer/protocols/smtp/SMTP.h @@ -7,12 +7,13 @@ using namespace std; #include "analyzer/protocols/tcp/TCP.h" -#include "MIME.h" - +#include "analyzer/protocols/mime/MIME.h" #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) SMTP_CMD_##cmd, +namespace analyzer { namespace smtp { + typedef enum { #include "SMTP_cmd.def" } SMTP_Cmd; @@ -35,7 +36,7 @@ typedef enum { } SMTP_State; -class SMTP_Analyzer : public TCP_ApplicationAnalyzer { +class SMTP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SMTP_Analyzer(Connection* conn); ~SMTP_Analyzer(); @@ -87,7 +88,9 @@ protected: BroString* line_after_gap; // last line before the first reply // after a gap - MIME_Mail* mail; + mime::MIME_Mail* mail; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/smtp/events.bif b/src/analyzer/protocols/smtp/events.bif index e69de29bb2..4a376bcbf8 100644 --- a/src/analyzer/protocols/smtp/events.bif +++ b/src/analyzer/protocols/smtp/events.bif @@ -0,0 +1,100 @@ +## Generated for client-side SMTP commands. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the command is the originator of the TCP +## connection. Note that this is not redundant: the SMTP ``TURN`` command +## allows client and server to flip roles on established SMTP sessions, +## and hence a "request" might still come from the TCP-level responder. +## In practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. +## +## command: The request's command, without any arguments. +## +## arg: The request command's arguments. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data +## smtp_data smtp_reply +## +## .. note:: Bro does not support the newer ETRN extension yet. +event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%); + +## Generated for server-side SMTP commands. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the command is the originator of the TCP +## connection. Note that this is not redundant: the SMTP ``TURN`` command +## allows client and server to flip roles on established SMTP sessions, +## and hence a "reply" might still come from the TCP-level originator. In +## practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. +## +## code: The reply's numerical code. +## +## cmd: TODO. +## +## msg: The reply's textual description. +## +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want to +## reassemble the pieces before processing the response any further. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data +## smtp_data smtp_request +## +## .. note:: Bro doesn't support the newer ETRN extension yet. +event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%); + +## Generated for DATA transmitted on SMTP sessions. This event is raised for +## subsequent chunks of raw data following the ``DATA`` SMTP command until the +## corresponding end marker ``.`` is seen. A handler may want to reassemble +## the pieces as they come in if stream-analysis is required. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the data is the originator of the TCP +## connection. +## +## data: The raw data. Note that the size of each chunk is undefined and +## depends on specifics of the underlying TCP connection. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data +## smtp_reply smtp_request skip_smtp_data +## +## .. note:: This event receives the unprocessed raw data. There is a separate +## set of ``mime_*`` events that strip out the outer MIME-layer of emails and +## provide structured access to their content. +event smtp_data%(c: connection, is_orig: bool, data: string%); + +## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks +## the state of SMTP sessions and reports commands and other activity with this +## event that it sees even though it would not expect so at the current point +## of the communication. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the unexpected activity is the originator of +## the TCP connection. +## +## msg: A descriptive message of what was unexpected. +## +## detail: The actual SMTP line triggering the event. +## +## .. bro:see:: smtp_data smtp_request smtp_reply +event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); diff --git a/src/analyzer/protocols/socks/Plugin.cc b/src/analyzer/protocols/socks/Plugin.cc index 080a8329de..3c849e6e23 100644 --- a/src/analyzer/protocols/socks/Plugin.cc +++ b/src/analyzer/protocols/socks/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SOCKS) BRO_PLUGIN_DESCRIPTION("SOCKS Analyzer"); - BRO_PLUGIN_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SOCKS", socks::SOCKS_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/socks/SOCKS.cc b/src/analyzer/protocols/socks/SOCKS.cc index 25ebf9796e..dab464abf7 100644 --- a/src/analyzer/protocols/socks/SOCKS.cc +++ b/src/analyzer/protocols/socks/SOCKS.cc @@ -2,8 +2,12 @@ #include "socks_pac.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::socks; + SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("SOCKS", conn) +: tcp::TCP_ApplicationAnalyzer("SOCKS", conn) { interp = new binpac::SOCKS::SOCKS_Conn(this); orig_done = resp_done = false; @@ -25,7 +29,7 @@ void SOCKS_Analyzer::EndpointDone(bool orig) void SOCKS_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -33,13 +37,13 @@ void SOCKS_Analyzer::Done() void SOCKS_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -57,7 +61,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) if ( ! pia ) { - pia = new PIA_TCP(Conn()); + pia = new pia::PIA_TCP(Conn()); AddChildAnalyzer(pia); pia->FirstPacket(true, 0); pia->FirstPacket(false, 0); @@ -80,7 +84,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SOCKS_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } diff --git a/src/analyzer/protocols/socks/SOCKS.h b/src/analyzer/protocols/socks/SOCKS.h index 8abdfe3a3f..7aed5c02a3 100644 --- a/src/analyzer/protocols/socks/SOCKS.h +++ b/src/analyzer/protocols/socks/SOCKS.h @@ -12,8 +12,9 @@ namespace binpac { } } +namespace analyzer { namespace socks { -class SOCKS_Analyzer : public TCP_ApplicationAnalyzer { +class SOCKS_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SOCKS_Analyzer(Connection* conn); ~SOCKS_Analyzer(); @@ -33,8 +34,10 @@ protected: bool orig_done; bool resp_done; - PIA_TCP *pia; + pia::PIA_TCP *pia; binpac::SOCKS::SOCKS_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/socks/events.bif b/src/analyzer/protocols/socks/events.bif index e69de29bb2..4f1f8ad1cd 100644 --- a/src/analyzer/protocols/socks/events.bif +++ b/src/analyzer/protocols/socks/events.bif @@ -0,0 +1,29 @@ +## Generated when a SOCKS request is analyzed. +## +## c: The parent connection of the proxy. +## +## version: The version of SOCKS this message used. +## +## request_type: The type of the request. +## +## sa: Address that the tunneled traffic should be sent to. +## +## p: The destination port for the proxied traffic. +## +## user: Username given for the SOCKS connection. This is not yet implemented +## for SOCKSv5. +event socks_request%(c: connection, version: count, request_type: count, sa: SOCKS::Address, p: port, user: string%); + +## Generated when a SOCKS reply is analyzed. +## +## c: The parent connection of the proxy. +## +## version: The version of SOCKS this message used. +## +## reply: The status reply from the server. +## +## sa: The address that the server sent the traffic to. +## +## p: The destination port for the proxied traffic. +event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port%); + diff --git a/src/analyzer/protocols/socks/socks.pac b/src/analyzer/protocols/socks/socks.pac index 15d3580674..a9c4099508 100644 --- a/src/analyzer/protocols/socks/socks.pac +++ b/src/analyzer/protocols/socks/socks.pac @@ -3,6 +3,8 @@ %extern{ #include "SOCKS.h" + +#include "events.bif.h" %} analyzer SOCKS withcontext { @@ -21,4 +23,4 @@ flow SOCKS_Flow(is_orig: bool) { datagram = SOCKS_Version(is_orig) withcontext(connection, this); }; -%include socks-analyzer.pac \ No newline at end of file +%include socks-analyzer.pac diff --git a/src/analyzer/protocols/ssh/Plugin.cc b/src/analyzer/protocols/ssh/Plugin.cc index 76603220d3..57acbe222c 100644 --- a/src/analyzer/protocols/ssh/Plugin.cc +++ b/src/analyzer/protocols/ssh/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SSH) BRO_PLUGIN_DESCRIPTION("SSH Analyzer"); - BRO_PLUGIN_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SSH", ssh::SSH_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ssh/SSH.cc b/src/analyzer/protocols/ssh/SSH.cc index 3b89422d5a..c2ff9a066c 100644 --- a/src/analyzer/protocols/ssh/SSH.cc +++ b/src/analyzer/protocols/ssh/SSH.cc @@ -9,15 +9,19 @@ #include "Event.h" #include "analyzer/protocols/tcp/ContentLine.h" +#include "events.bif.h" + +using namespace analyzer::ssh; + SSH_Analyzer::SSH_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("SSH", c) +: tcp::TCP_ApplicationAnalyzer("SSH", c) { - orig = new ContentLine_Analyzer(c, true); + orig = new tcp::ContentLine_Analyzer(c, true); orig->SetSkipPartial(true); orig->SetCRLFAsEOL(LF_as_EOL); AddSupportAnalyzer(orig); - resp = new ContentLine_Analyzer(c, false); + resp = new tcp::ContentLine_Analyzer(c, false); resp->SetSkipPartial(true); resp->SetCRLFAsEOL(LF_as_EOL); AddSupportAnalyzer(resp); @@ -25,7 +29,7 @@ SSH_Analyzer::SSH_Analyzer(Connection* c) void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); // We're all done processing this endpoint - flag it as such, // before we even determine whether we have any event generation @@ -38,7 +42,7 @@ void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) if ( TCP() ) { // Don't try to parse version if there has already been a gap. - TCP_Endpoint* endp = is_orig ? TCP()->Orig() : TCP()->Resp(); + tcp::TCP_Endpoint* endp = is_orig ? TCP()->Orig() : TCP()->Resp(); if ( endp->HadGap() ) return; } diff --git a/src/analyzer/protocols/ssh/SSH.h b/src/analyzer/protocols/ssh/SSH.h index d3cda5f2f5..644444136d 100644 --- a/src/analyzer/protocols/ssh/SSH.h +++ b/src/analyzer/protocols/ssh/SSH.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" -class SSH_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ssh { + +class SSH_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SSH_Analyzer(Connection* conn); @@ -16,8 +18,10 @@ public: { return new SSH_Analyzer(conn); } private: - ContentLine_Analyzer* orig; - ContentLine_Analyzer* resp; + tcp::ContentLine_Analyzer* orig; + tcp::ContentLine_Analyzer* resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ssh/events.bif b/src/analyzer/protocols/ssh/events.bif index e69de29bb2..9d73f5e483 100644 --- a/src/analyzer/protocols/ssh/events.bif +++ b/src/analyzer/protocols/ssh/events.bif @@ -0,0 +1,38 @@ +## Generated when seeing an SSH client's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## client sent. +## +## +## See `Wikipedia `__ for more +## information about the SSH protocol. +## +## c: The connection. +## +## version: The version string the client sent (e.g., `SSH-2.0-libssh-0.11`). +## +## .. bro:see:: ssh_server_version +## +## .. note:: As everything after the initial version handshake proceeds +## encrypted, Bro cannot further analyze SSH sessions. +event ssh_client_version%(c: connection, version: string%); + +## Generated when seeing an SSH server's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## server sent. +## +## See `Wikipedia `__ for more +## information about the SSH protocol. +## +## c: The connection. +## +## version: The version string the server sent (e.g., +## ``SSH-1.99-OpenSSH_3.9p1``). +## +## .. bro:see:: ssh_client_version +## +## .. note:: As everything coming after the initial version handshake proceeds +## encrypted, Bro cannot further analyze SSH sessions. +event ssh_server_version%(c: connection, version: string%); + diff --git a/src/analyzer/protocols/ssl/Plugin.cc b/src/analyzer/protocols/ssl/Plugin.cc index 743401896d..6fe3308818 100644 --- a/src/analyzer/protocols/ssl/Plugin.cc +++ b/src/analyzer/protocols/ssl/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SSL) BRO_PLUGIN_DESCRIPTION("SSL Analyzer"); - BRO_PLUGIN_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SSL", ssl::SSL_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ssl/SSL.cc b/src/analyzer/protocols/ssl/SSL.cc index deec34e5d9..cf41f273f6 100644 --- a/src/analyzer/protocols/ssl/SSL.cc +++ b/src/analyzer/protocols/ssl/SSL.cc @@ -4,8 +4,12 @@ #include "Reporter.h" #include "util.h" +#include "events.bif.h" + +using namespace analyzer::ssl; + SSL_Analyzer::SSL_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("SSL", c) +: tcp::TCP_ApplicationAnalyzer("SSL", c) { interp = new binpac::SSL::SSL_Conn(this); had_gap = false; @@ -18,7 +22,7 @@ SSL_Analyzer::~SSL_Analyzer() void SSL_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -26,13 +30,13 @@ void SSL_Analyzer::Done() void SSL_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -55,7 +59,7 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SSL_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocols/ssl/SSL.h b/src/analyzer/protocols/ssl/SSL.h index 1d451a40ef..b8d6f20db1 100644 --- a/src/analyzer/protocols/ssl/SSL.h +++ b/src/analyzer/protocols/ssl/SSL.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "ssl_pac.h" -class SSL_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ssl { + +class SSL_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SSL_Analyzer(Connection* conn); virtual ~SSL_Analyzer(); @@ -16,7 +18,7 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void Undelivered(int seq, int len, bool orig); - // Overriden from TCP_ApplicationAnalyzer. + // Overriden from tcp::TCP_ApplicationAnalyzer. virtual void EndpointEOF(bool is_orig); static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) @@ -35,4 +37,6 @@ protected: }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ssl/ssl-defs.pac b/src/analyzer/protocols/ssl/ssl-defs.pac index 4f715bbddd..c35fc56e85 100644 --- a/src/analyzer/protocols/ssl/ssl-defs.pac +++ b/src/analyzer/protocols/ssl/ssl-defs.pac @@ -3,6 +3,8 @@ %extern{ #include using std::string; + +#include "events.bif.h" %} enum ContentType { diff --git a/src/analyzer/protocols/ssl/ssl.pac b/src/analyzer/protocols/ssl/ssl.pac index 150dc222cb..4a32227088 100644 --- a/src/analyzer/protocols/ssl/ssl.pac +++ b/src/analyzer/protocols/ssl/ssl.pac @@ -5,13 +5,13 @@ # - ssl-analyzer.pac: contains the SSL analyzer code # - ssl-record-layer.pac: describes the SSL record layer -%extern{ - #include "events.bif.h" -%} - %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer SSL withcontext { connection: SSL_Conn; flow: SSL_Flow; diff --git a/src/analyzer/protocols/stepping-stone/Plugin.cc b/src/analyzer/protocols/stepping-stone/Plugin.cc index 18bfa41063..748c5fac5f 100644 --- a/src/analyzer/protocols/stepping-stone/Plugin.cc +++ b/src/analyzer/protocols/stepping-stone/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SteppingStone) BRO_PLUGIN_DESCRIPTION("SteppingStone Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("STEPPINGSTONE", stepping_stone::SteppingStone_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.cc b/src/analyzer/protocols/stepping-stone/SteppingStone.cc index f2f4561de6..2b25a2e080 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.cc +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.cc @@ -11,7 +11,11 @@ #include "SteppingStone.h" #include "util.h" -SteppingStoneEndpoint::SteppingStoneEndpoint(TCP_Endpoint* e, SteppingStoneManager* m) +#include "events.bif.h" + +using namespace analyzer::stepping_stone; + +SteppingStoneEndpoint::SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m) { endp = e; stp_max_top_seq = 0; @@ -157,7 +161,7 @@ void SteppingStoneEndpoint::CreateEndpEvent(int is_orig) } SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("STEPPINGSTONE", c) +: tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c) { stp_manager = sessions->GetSTPManager(); @@ -167,7 +171,7 @@ SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) void SteppingStone_Analyzer::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); assert(TCP()); orig_endp = new SteppingStoneEndpoint(TCP()->Orig(), stp_manager); @@ -178,7 +182,7 @@ void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); if ( is_orig ) @@ -190,7 +194,7 @@ void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data, void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( is_orig ) { @@ -209,7 +213,7 @@ void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data, void SteppingStone_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); orig_endp->Done(); resp_endp->Done(); diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.h b/src/analyzer/protocols/stepping-stone/SteppingStone.h index cbf22e7715..f818a0ee70 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.h +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.h @@ -8,6 +8,8 @@ class NetSessions; +namespace analyzer { namespace stepping_stone { + class SteppingStoneEndpoint; class SteppingStoneManager; @@ -16,7 +18,7 @@ declare(PDict,SteppingStoneEndpoint); class SteppingStoneEndpoint : public BroObj { public: - SteppingStoneEndpoint(TCP_Endpoint* e, SteppingStoneManager* m); + SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m); ~SteppingStoneEndpoint(); void Done(); @@ -27,7 +29,7 @@ protected: void Event(EventHandlerPtr f, int id1, int id2 = -1); void CreateEndpEvent(int is_orig); - TCP_Endpoint* endp; + tcp::TCP_Endpoint* endp; int stp_max_top_seq; double stp_last_time; double stp_resume_time; @@ -43,7 +45,7 @@ protected: PDict(SteppingStoneEndpoint) stp_outbound_endps; }; -class SteppingStone_Analyzer : public TCP_ApplicationAnalyzer { +class SteppingStone_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SteppingStone_Analyzer(Connection* c); virtual ~SteppingStone_Analyzer() {}; @@ -85,4 +87,6 @@ protected: int endp_cnt; }; +} } // namespace analyzer::* + #endif /* steppingstone_h */ diff --git a/src/analyzer/protocols/stepping-stone/events.bif b/src/analyzer/protocols/stepping-stone/events.bif index e69de29bb2..8d578eba64 100644 --- a/src/analyzer/protocols/stepping-stone/events.bif +++ b/src/analyzer/protocols/stepping-stone/events.bif @@ -0,0 +1,17 @@ +## Deprecated. Will be removed. +event stp_create_endp%(c: connection, e: int, is_orig: bool%); + +# ##### Internal events. Not further documented. + +## Event internal to the stepping stone detector. +event stp_resume_endp%(e: int%); + +## Event internal to the stepping stone detector. +event stp_correlate_pair%(e1: int, e2: int%); + +## Event internal to the stepping stone detector. +event stp_remove_pair%(e1: int, e2: int%); + +## Event internal to the stepping stone detector. +event stp_remove_endp%(e: int%); + diff --git a/src/analyzer/protocols/syslog/Plugin.cc b/src/analyzer/protocols/syslog/Plugin.cc index 8560ee7c48..f5d955942b 100644 --- a/src/analyzer/protocols/syslog/Plugin.cc +++ b/src/analyzer/protocols/syslog/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Syslog) BRO_PLUGIN_DESCRIPTION("Syslog Analyzer (UDP-only currently)"); - BRO_PLUGIN_ANALYZER("SYSLOG", Syslog_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SYSLOG", syslog::Syslog_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/syslog/Syslog.cc b/src/analyzer/protocols/syslog/Syslog.cc index 94ca996cce..e1667ea38b 100644 --- a/src/analyzer/protocols/syslog/Syslog.cc +++ b/src/analyzer/protocols/syslog/Syslog.cc @@ -2,6 +2,10 @@ #include "Syslog.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::syslog; + Syslog_Analyzer::Syslog_Analyzer(Connection* conn) : Analyzer("SYSLOG", conn) { @@ -45,35 +49,35 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int // t + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE); // } -//Syslog_TCP_Analyzer::Syslog_TCP_Analyzer(Connection* conn) -//: TCP_ApplicationAnalyzer(conn) +//Syslog_tcp::TCP_Analyzer::Syslog_tcp::TCP_Analyzer(Connection* conn) +//: tcp::TCP_ApplicationAnalyzer(conn) // { // interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); // } -//Syslog_TCP_Analyzer::~Syslog_TCP_Analyzer() +//Syslog_tcp::TCP_Analyzer::~Syslog_tcp::TCP_Analyzer() // { // delete interp; // } -//void Syslog_TCP_Analyzer::Done() +//void Syslog_tcp::TCP_Analyzer::Done() // { -// TCP_ApplicationAnalyzer::Done(); +// tcp::TCP_ApplicationAnalyzer::Done(); // // interp->FlowEOF(true); // interp->FlowEOF(false); // } -//void Syslog_TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp) +//void Syslog_tcp::TCP_Analyzer::EndpointEOF(tcp::TCP_Reassembler* endp) // { -// TCP_ApplicationAnalyzer::EndpointEOF(endp); +// tcp::TCP_ApplicationAnalyzer::EndpointEOF(endp); // interp->FlowEOF(endp->IsOrig()); // } -//void Syslog_TCP_Analyzer::DeliverStream(int len, const u_char* data, +//void Syslog_tcp::TCP_Analyzer::DeliverStream(int len, const u_char* data, // bool orig) // { -// TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); +// tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); // // assert(TCP()); // @@ -84,8 +88,8 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int // interp->NewData(orig, data, data + len); // } -//void Syslog_TCP_Analyzer::Undelivered(int seq, int len, bool orig) +//void Syslog_tcp::TCP_Analyzer::Undelivered(int seq, int len, bool orig) // { -// TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); +// tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // interp->NewGap(orig, len); // } diff --git a/src/analyzer/protocols/syslog/Syslog.h b/src/analyzer/protocols/syslog/Syslog.h index 32b7b3439a..391c5115b3 100644 --- a/src/analyzer/protocols/syslog/Syslog.h +++ b/src/analyzer/protocols/syslog/Syslog.h @@ -7,6 +7,8 @@ #include "syslog_pac.h" +namespace analyzer { namespace syslog { + class Syslog_Analyzer : public analyzer::Analyzer { public: Syslog_Analyzer(Connection* conn); @@ -29,21 +31,23 @@ protected: // #include "Syslog_tcp_pac.h" // -//class Syslog_TCP_Analyzer : public TCP_ApplicationAnalyzer { +//class Syslog_tcp::TCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { //public: -// Syslog_TCP_Analyzer(Connection* conn); -// virtual ~Syslog_TCP_Analyzer(); +// Syslog_tcp::TCP_Analyzer(Connection* conn); +// virtual ~Syslog_tcp::TCP_Analyzer(); // // virtual void Done(); // virtual void DeliverStream(int len, const u_char* data, bool orig); // virtual void Undelivered(int seq, int len, bool orig); -// virtual void EndpointEOF(TCP_Reassembler* endp); +// virtual void EndpointEOF(tcp::TCP_Reassembler* endp); // // static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) -// { return new Syslog_TCP_Analyzer(conn); } +// { return new Syslog_tcp::TCP_Analyzer(conn); } // //protected: // binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; //}; // +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/syslog/syslog.pac b/src/analyzer/protocols/syslog/syslog.pac index 5e7176da2a..2c1fdd10d0 100644 --- a/src/analyzer/protocols/syslog/syslog.pac +++ b/src/analyzer/protocols/syslog/syslog.pac @@ -1,11 +1,11 @@ -%extern{ - #include "events.bif.h" -%} - %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer Syslog withcontext { connection: Syslog_Conn; flow: Syslog_Flow; diff --git a/src/analyzer/protocols/tcp/ContentLine.cc b/src/analyzer/protocols/tcp/ContentLine.cc index bcfca4ecc6..c1738ccc64 100644 --- a/src/analyzer/protocols/tcp/ContentLine.cc +++ b/src/analyzer/protocols/tcp/ContentLine.cc @@ -3,6 +3,10 @@ #include "ContentLine.h" #include "analyzer/protocols/tcp/TCP.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig) : TCP_SupportAnalyzer("CONTENTLINE", conn, orig) { diff --git a/src/analyzer/protocols/tcp/ContentLine.h b/src/analyzer/protocols/tcp/ContentLine.h index e83251d43d..ca48393cb4 100644 --- a/src/analyzer/protocols/tcp/ContentLine.h +++ b/src/analyzer/protocols/tcp/ContentLine.h @@ -5,6 +5,8 @@ #include "analyzer/protocols/tcp/TCP.h" +namespace analyzer { namespace tcp { + #define CR_as_EOL 1 #define LF_as_EOL 2 @@ -104,4 +106,6 @@ protected: unsigned int skip_partial:1; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/Plugin.cc b/src/analyzer/protocols/tcp/Plugin.cc index d76789bf30..defb0b330d 100644 --- a/src/analyzer/protocols/tcp/Plugin.cc +++ b/src/analyzer/protocols/tcp/Plugin.cc @@ -5,8 +5,8 @@ BRO_PLUGIN_BEGIN(TCP) BRO_PLUGIN_DESCRIPTION("TCP Analyzer"); - BRO_PLUGIN_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("TCPStats", TCPStats_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("TCP", tcp::TCP_Analyzer); + BRO_PLUGIN_ANALYZER("TCPStats", tcp::TCPStats_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("ContentLine"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocols/tcp/Stats.cc b/src/analyzer/protocols/tcp/Stats.cc index 6157d54537..b5337fa2db 100644 --- a/src/analyzer/protocols/tcp/Stats.cc +++ b/src/analyzer/protocols/tcp/Stats.cc @@ -2,6 +2,10 @@ #include "Stats.h" #include "File.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + TCPStateStats::TCPStateStats() { for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) diff --git a/src/analyzer/protocols/tcp/Stats.h b/src/analyzer/protocols/tcp/Stats.h index 01c95620ce..42c03ab321 100644 --- a/src/analyzer/protocols/tcp/Stats.h +++ b/src/analyzer/protocols/tcp/Stats.h @@ -4,6 +4,8 @@ #include "TCP_Endpoint.h" +namespace analyzer { namespace tcp { + // A TCPStateStats object tracks the distribution of TCP states for // the currently active connections. class TCPStateStats { @@ -64,4 +66,6 @@ private: unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1]; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/TCP.cc b/src/analyzer/protocols/tcp/TCP.cc index 66bf9d2a83..23de51642b 100644 --- a/src/analyzer/protocols/tcp/TCP.cc +++ b/src/analyzer/protocols/tcp/TCP.cc @@ -11,6 +11,10 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + namespace { // local namespace const bool DEBUG_tcp_data_sent = false; const bool DEBUG_tcp_connection_close = false; @@ -954,7 +958,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip) { if ( is_orig && ! (first_packet_seen & ORIG) ) { - PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); + pia::PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); if ( pia ) pia->FirstPacket(is_orig, ip); first_packet_seen |= ORIG; @@ -962,7 +966,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip) if ( ! is_orig && ! (first_packet_seen & RESP) ) { - PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); + pia::PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); if ( pia ) pia->FirstPacket(is_orig, ip); first_packet_seen |= RESP; diff --git a/src/analyzer/protocols/tcp/TCP.h b/src/analyzer/protocols/tcp/TCP.h index ee89cef8e4..6b0b9e8637 100644 --- a/src/analyzer/protocols/tcp/TCP.h +++ b/src/analyzer/protocols/tcp/TCP.h @@ -14,11 +14,14 @@ // - TCP_Analyzer is the analyzer for the TCP protocol itself. // - TCP_ApplicationAnalyzer is an abstract base class for analyzers for a // protocol running on top of TCP. +// +namespace analyzer { namespace pia { class PIA_TCP; } }; -class PIA_TCP; +namespace analyzer { namespace tcp { + +class TCP_Endpoint; class TCP_ApplicationAnalyzer; class TCP_Reassembler; -class TCP_Endpoint; class TCP_Flags { public: @@ -94,7 +97,7 @@ public: protected: friend class TCP_ApplicationAnalyzer; friend class TCP_Reassembler; - friend class PIA_TCP; + friend class analyzer::pia::PIA_TCP; // Analyzer interface. virtual void Init(); @@ -223,7 +226,7 @@ protected: void ConnectionReset(); void PacketWithRST(); - void SetReassembler(TCP_Reassembler* rorig, TCP_Reassembler* rresp); + void SetReassembler(tcp::TCP_Reassembler* rorig, tcp::TCP_Reassembler* rresp); Val* BuildSYNPacketVal(int is_orig, const IP_Hdr* ip, const struct tcphdr* tcp); @@ -356,7 +359,7 @@ protected: int endian_type; }; -class TCPStats_Analyzer : public TCP_ApplicationAnalyzer { +class TCPStats_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: TCPStats_Analyzer(Connection* c); ~TCPStats_Analyzer(); @@ -375,4 +378,6 @@ protected: TCPStats_Endpoint* resp_stats; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.cc b/src/analyzer/protocols/tcp/TCP_Endpoint.cc index adb2c101d4..922c52693a 100644 --- a/src/analyzer/protocols/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocols/tcp/TCP_Endpoint.cc @@ -9,6 +9,10 @@ #include "File.h" #include "Val.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, int arg_is_orig) { contents_processor = 0; diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.h b/src/analyzer/protocols/tcp/TCP_Endpoint.h index 52a757b256..6cc2fefebf 100644 --- a/src/analyzer/protocols/tcp/TCP_Endpoint.h +++ b/src/analyzer/protocols/tcp/TCP_Endpoint.h @@ -5,6 +5,14 @@ #include "IPAddr.h" +class Connection; +class IP_Hdr; + +namespace analyzer { namespace tcp { + +class TCP_Analyzer; +class TCP_Reassembler; + typedef enum { TCP_ENDPOINT_INACTIVE, // no SYN (or other packets) seen for this side TCP_ENDPOINT_SYN_SENT, // SYN seen, but no ack @@ -16,11 +24,6 @@ typedef enum { TCP_ENDPOINT_RESET // RST seen } EndpointState; -class Connection; -class TCP_Reassembler; -class IP_Hdr; -class TCP_Analyzer; - // One endpoint of a TCP connection. class TCP_Endpoint { public: @@ -157,4 +160,6 @@ protected: #define ENDIAN_BIG 2 #define ENDIAN_CONFUSED 3 +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.cc b/src/analyzer/protocols/tcp/TCP_Reassembler.cc index 5bfd536a10..e54a1494af 100644 --- a/src/analyzer/protocols/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocols/tcp/TCP_Reassembler.cc @@ -8,6 +8,10 @@ // Only needed for gap_report events. #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + // Note, sequence numbers are relative. I.e., they start with 1. // TODO: The Reassembler should start using 64 bit ints for keeping track of diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.h b/src/analyzer/protocols/tcp/TCP_Reassembler.h index 410aa7cbbc..ab6eb97b70 100644 --- a/src/analyzer/protocols/tcp/TCP_Reassembler.h +++ b/src/analyzer/protocols/tcp/TCP_Reassembler.h @@ -13,8 +13,10 @@ class BroFile; class Connection; + +namespace analyzer { namespace tcp { + class TCP_Analyzer; -namespace analyzer { class Analyzer; } const int STOP_ON_GAP = 1; const int PUNT_ON_PARTIAL = 1; @@ -26,7 +28,7 @@ public: Forward, // forward to destination analyzer's children }; - TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, + TCP_Reassembler(Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, Type arg_type, bool arg_is_orig, TCP_Endpoint* arg_endp); @@ -34,7 +36,7 @@ public: void Done(); - void SetDstAnalyzer(analyzer::Analyzer* analyzer) { dst_analyzer = analyzer; } + void SetDstAnalyzer(Analyzer* analyzer) { dst_analyzer = analyzer; } void SetType(Type arg_type) { type = arg_type; } TCP_Analyzer* GetTCPAnalyzer() { return tcp_analyzer; } @@ -69,6 +71,8 @@ public: // Skip up to seq, as if there's a content gap. // Can be used to skip HTTP data for performance considerations. void SkipToSeq(int seq); +} } // namespace analyzer::* + #endif int DataSent(double t, int seq, int len, const u_char* data, @@ -95,6 +99,8 @@ public: #ifdef ENABLE_SEQ_TO_SKIP bool IsSkippedContents(int seq, int length) const { return seq + length <= seq_to_skip; } +} } // namespace analyzer::* + #endif private: @@ -125,11 +131,13 @@ private: BroFile* record_contents_file; // file on which to reassemble contents - analyzer::Analyzer* dst_analyzer; + Analyzer* dst_analyzer; TCP_Analyzer* tcp_analyzer; Type type; bool is_orig; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/events.bif b/src/analyzer/protocols/tcp/events.bif index e69de29bb2..05a280024d 100644 --- a/src/analyzer/protocols/tcp/events.bif +++ b/src/analyzer/protocols/tcp/events.bif @@ -0,0 +1,289 @@ + +## Generated when reassembly starts for a TCP connection. This event is raised +## at the moment when Bro's TCP analyzer enables stream reassembly for a +## connection. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_rejected connection_reset connection_reused +## connection_state_remove connection_status_update connection_timeout +## expected_connection_seen new_connection partial_connection +event new_connection_contents%(c: connection%); + +## Generated for an unsuccessful connection attempt. This event is raised when +## an originator unsuccessfully attempted to establish a connection. +## "Unsuccessful" is defined as at least :bro:id:`tcp_attempt_delay` seconds +## having elapsed since the originator first sent a connection establishment +## packet to the destination without seeing a reply. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_established +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_attempt%(c: connection%); + +## Generated when a SYN-ACK packet is seen in response to a SYN packet during +## a TCP handshake. The final ACK of the handshake in response to SYN-ACK may +## or may not occur later, one way to tell is to check the *history* field of +## :bro:type:`connection` to see if the originator sent an ACK, indicated by +## 'A' in the history string. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_established%(c: connection%); + +## Generated for a new active TCP connection if Bro did not see the initial +## handshake. This event is raised when Bro has observed traffic from each +## endpoint, but the activity did not begin with the usual connection +## establishment. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_rejected connection_reset connection_reused +## connection_state_remove connection_status_update connection_timeout +## expected_connection_seen new_connection new_connection_contents +## +event partial_connection%(c: connection%); + +## Generated when a previously inactive endpoint attempts to close a TCP +## connection via a normal FIN handshake or an abort RST sequence. When the +## endpoint sent one of these packets, Bro waits +## :bro:id:`tcp_partial_close_delay` prior to generating the event, to give +## the other endpoint a chance to close the connection normally. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_partial_close%(c: connection%); + +## Generated for a TCP connection that finished normally. The event is raised +## when a regular FIN handshake from both endpoints was observed. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_finished%(c: connection%); + +## Generated when one endpoint of a TCP connection attempted to gracefully close +## the connection, but the other endpoint is in the TCP_INACTIVE state. This can +## happen due to split routing, in which Bro only sees one side of a connection. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_half_finished%(c: connection%); + +## Generated for a rejected TCP connection. This event is raised when an +## originator attempted to setup a TCP connection but the responder replied +## with a RST packet denying it. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +## +## c: The connection. +## +## .. note:: +## +## If the responder does not respond at all, :bro:id:`connection_attempt` is +## raised instead. If the responder initially accepts the connection but +## aborts it later, Bro first generates :bro:id:`connection_established` +## and then :bro:id:`connection_reset`. +event connection_rejected%(c: connection%); + +## Generated when an endpoint aborted a TCP connection. The event is raised +## when one endpoint of an established TCP connection aborted by sending a RST +## packet. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_rejected connection_reused +## connection_state_remove connection_status_update connection_timeout +## expected_connection_seen new_connection new_connection_contents +## partial_connection +event connection_reset%(c: connection%); + +## Generated for each still-open TCP connection when Bro terminates. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection bro_done +event connection_pending%(c: connection%); + +## Generated for a SYN packet. Bro raises this event for every SYN packet seen +## by its TCP analyzer. +## +## c: The connection. +## +## pkt: Information extracted from the SYN packet. +## +## .. bro:see:: connection_EOF connection_attempt connection_established +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +## +## .. note:: +## +## This event has quite low-level semantics and can potentially be expensive +## to generate. It should only be used if one really needs the specific +## information passed into the handler via the ``pkt`` argument. If not, +## handling one of the other ``connection_*`` events is typically the +## better approach. +event connection_SYN_packet%(c: connection, pkt: SYN_packet%); + +## Generated for the first ACK packet seen for a TCP connection from +## its *originator*. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +## +## .. note:: +## +## This event has quite low-level semantics and should be used only rarely. +event connection_first_ACK%(c: connection%); + +## Generated at the end of reassembled TCP connections. The TCP reassembler +## raised the event once for each endpoint of a connection when it finished +## reassembling the corresponding side of the communication. +## +## c: The connection. +## +## is_orig: True if the event is raised for the originator side. +## +## .. bro:see:: connection_SYN_packet connection_attempt connection_established +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_EOF%(c: connection, is_orig: bool%); + +## Generated for every TCP packet. This is a very low-level and expensive event +## that should be avoided when at all possible. It's usually infeasible to +## handle when processing even medium volumes of traffic in real-time. It's +## slightly better than :bro:id:`new_packet` because it affects only TCP, but +## not much. That said, if you work from a trace and want to do some +## packet-level analysis, it may come in handy. +## +## c: The connection the packet is part of. +## +## is_orig: True if the packet was sent by the connection's originator. +## +## flags: A string with the packet's TCP flags. In the string, each character +## corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN; +## ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH. +## +## seq: The packet's TCP sequence number. +## +## ack: The packet's ACK number. +## +## len: The length of the TCP payload, as specified in the packet header. +## +## payload: The raw TCP payload. Note that this may be shorter than *len* if +## the packet was not fully captured. +## +## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit +event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); + +## Generated for each option found in a TCP header. Like many of the ``tcp_*`` +## events, this is a very low-level event and potentially expensive as it may +## be raised very often. +## +## c: The connection the packet is part of. +## +## is_orig: True if the packet was sent by the connection's originator. +## +## opt: The numerical option number, as found in the TCP header. +## +## optlen: The length of the options value. +## +## .. bro:see:: tcp_packet tcp_contents tcp_rexmit +## +## .. note:: There is currently no way to get the actual option value, if any. +event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); + +## Generated for each chunk of reassembled TCP payload. When content delivery is +## enabled for a TCP connection (via :bro:id:`tcp_content_delivery_ports_orig`, +## :bro:id:`tcp_content_delivery_ports_resp`, +## :bro:id:`tcp_content_deliver_all_orig`, +## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk +## of in-order payload reconstructed from the packet stream. Note that this +## event is potentially expensive if many connections carry significant amounts +## of data as then all that data needs to be passed on to the scripting layer. +## +## c: The connection the payload is part of. +## +## is_orig: True if the packet was sent by the connection's originator. +## +## seq: The sequence number corresponding to the first byte of the payload +## chunk. +## +## contents: The raw payload, which will be non-empty. +## +## .. bro:see:: tcp_packet tcp_option tcp_rexmit +## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp +## tcp_content_deliver_all_resp tcp_content_deliver_all_orig +## +## .. note:: +## +## The payload received by this event is the same that is also passed into +## application-layer protocol analyzers internally. Subsequent invocations of +## this event for the same connection receive non-overlapping in-order chunks +## of its TCP payload stream. It is however undefined what size each chunk +## has; while Bro passes the data on as soon as possible, specifics depend on +## network-level effects such as latency, acknowledgements, reordering, etc. +event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); + +## TODO. +event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%); + diff --git a/src/analyzer/protocols/teredo/Plugin.cc b/src/analyzer/protocols/teredo/Plugin.cc index 9fc0fa4e7a..1ea1c03238 100644 --- a/src/analyzer/protocols/teredo/Plugin.cc +++ b/src/analyzer/protocols/teredo/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Teredo) BRO_PLUGIN_DESCRIPTION("Teredo Analyzer"); - BRO_PLUGIN_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("TEREDO", teredo::Teredo_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/teredo/Teredo.cc b/src/analyzer/protocols/teredo/Teredo.cc index 88ed6d582e..d81f90d840 100644 --- a/src/analyzer/protocols/teredo/Teredo.cc +++ b/src/analyzer/protocols/teredo/Teredo.cc @@ -5,6 +5,10 @@ #include "IP.h" #include "Reporter.h" +#include "events.bif.h" + +using namespace analyzer::teredo; + void Teredo_Analyzer::Done() { Analyzer::Done(); diff --git a/src/analyzer/protocols/teredo/Teredo.h b/src/analyzer/protocols/teredo/Teredo.h index f8cc0a15d7..b202a6e729 100644 --- a/src/analyzer/protocols/teredo/Teredo.h +++ b/src/analyzer/protocols/teredo/Teredo.h @@ -5,6 +5,8 @@ #include "NetVar.h" #include "Reporter.h" +namespace analyzer { namespace teredo { + class Teredo_Analyzer : public analyzer::Analyzer { public: Teredo_Analyzer(Connection* conn) : Analyzer("TEREDO", conn), @@ -89,4 +91,6 @@ protected: const Teredo_Analyzer* analyzer; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/teredo/events.bif b/src/analyzer/protocols/teredo/events.bif index e69de29bb2..62bc7d06cd 100644 --- a/src/analyzer/protocols/teredo/events.bif +++ b/src/analyzer/protocols/teredo/events.bif @@ -0,0 +1,55 @@ +## Generated for any IPv6 packet encapsulated in a Teredo tunnel. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_authentication teredo_origin_indication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_packet%(outer: connection, inner: teredo_hdr%); + +## Generated for IPv6 packets encapsulated in a Teredo tunnel that +## use the Teredo authentication encapsulation method. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_origin_indication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_authentication%(outer: connection, inner: teredo_hdr%); + +## Generated for IPv6 packets encapsulated in a Teredo tunnel that +## use the Teredo origin indication encapsulation method. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_authentication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); + +## Generated for Teredo bubble packets. That is, IPv6 packets encapsulated +## in a Teredo tunnel that have a Next Header value of :bro:id:`IPPROTO_NONE`. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_authentication teredo_origin_indication +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_bubble%(outer: connection, inner: teredo_hdr%); + diff --git a/src/analyzer/protocols/udp/Plugin.cc b/src/analyzer/protocols/udp/Plugin.cc index 1a9b462013..a013c55a87 100644 --- a/src/analyzer/protocols/udp/Plugin.cc +++ b/src/analyzer/protocols/udp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(UDP) BRO_PLUGIN_DESCRIPTION("UDP Analyzer"); - BRO_PLUGIN_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("UDP", udp::UDP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/udp/UDP.cc b/src/analyzer/protocols/udp/UDP.cc index f85f5ad991..8092a511c3 100644 --- a/src/analyzer/protocols/udp/UDP.cc +++ b/src/analyzer/protocols/udp/UDP.cc @@ -10,6 +10,10 @@ #include "Reporter.h" #include "Conn.h" +#include "events.bif.h" + +using namespace analyzer::udp; + UDP_Analyzer::UDP_Analyzer(Connection* conn) : TransportLayerAnalyzer("UDP", conn) { diff --git a/src/analyzer/protocols/udp/UDP.h b/src/analyzer/protocols/udp/UDP.h index 67048781a7..b3ef3bcf2d 100644 --- a/src/analyzer/protocols/udp/UDP.h +++ b/src/analyzer/protocols/udp/UDP.h @@ -6,6 +6,8 @@ #include "analyzer/Analyzer.h" #include +namespace analyzer { namespace udp { + typedef enum { UDP_INACTIVE, // no packet seen UDP_ACTIVE, // packets seen @@ -45,4 +47,6 @@ private: #define HIST_RESP_CORRUPT_PKT 0x8 }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/udp/events.bif b/src/analyzer/protocols/udp/events.bif index e69de29bb2..394181cf5d 100644 --- a/src/analyzer/protocols/udp/events.bif +++ b/src/analyzer/protocols/udp/events.bif @@ -0,0 +1,38 @@ +## Generated for each packet sent by a UDP flow's originator. This a potentially +## expensive event due to the volume of UDP traffic and should be used with +## care. +## +## u: The connection record for the corresponding UDP flow. +## +## .. bro:see:: udp_contents udp_reply udp_session_done +event udp_request%(u: connection%); + +## Generated for each packet sent by a UDP flow's responder. This a potentially +## expensive event due to the volume of UDP traffic and should be used with +## care. +## +## u: The connection record for the corresponding UDP flow. +## +## .. bro:see:: udp_contents udp_request udp_session_done +event udp_reply%(u: connection%); + +## Generated for UDP packets to pass on their payload. As the number of UDP +## packets can be very large, this event is normally raised only for those on +## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets +## sent by the flow's originator) or :bro:id:`udp_content_delivery_ports_resp` +## (for packets sent by the flow's responder). However, delivery can be enabled +## for all UDP request and reply packets by setting +## :bro:id:`udp_content_deliver_all_orig` or +## :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this +## event is also raised for all matching UDP packets, including empty ones. +## +## u: The connection record for the corresponding UDP flow. +## +## is_orig: True if the event is raised for the originator side. +## +## contents: TODO. +## +## .. bro:see:: udp_reply udp_request udp_session_done +## udp_content_deliver_all_orig udp_content_deliver_all_resp +## udp_content_delivery_ports_orig udp_content_delivery_ports_resp +event udp_contents%(u: connection, is_orig: bool, contents: string%); diff --git a/src/analyzer/protocols/zip/Plugin.cc b/src/analyzer/protocols/zip/Plugin.cc index 89382dd0cd..5ab2b60baf 100644 --- a/src/analyzer/protocols/zip/Plugin.cc +++ b/src/analyzer/protocols/zip/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(ZIP) BRO_PLUGIN_DESCRIPTION("Generic ZIP support analyzer"); - BRO_PLUGIN_ANALYZER("ZIP", 0); + BRO_PLUGIN_ANALYZER_BARE("ZIP"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/zip/ZIP.cc b/src/analyzer/protocols/zip/ZIP.cc index d3d9b1c38b..132515f29a 100644 --- a/src/analyzer/protocols/zip/ZIP.cc +++ b/src/analyzer/protocols/zip/ZIP.cc @@ -2,8 +2,12 @@ #include "ZIP.h" +#include "events.bif.h" + +using namespace analyzer::zip; + ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method) -: TCP_SupportAnalyzer("ZIP", conn, orig) +: tcp::TCP_SupportAnalyzer("ZIP", conn, orig) { zip = 0; zip_status = Z_OK; @@ -44,7 +48,7 @@ void ZIP_Analyzer::Done() void ZIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); if ( ! len || zip_status != Z_OK ) return; diff --git a/src/analyzer/protocols/zip/ZIP.h b/src/analyzer/protocols/zip/ZIP.h index 24ec919f70..7eda1e295f 100644 --- a/src/analyzer/protocols/zip/ZIP.h +++ b/src/analyzer/protocols/zip/ZIP.h @@ -8,7 +8,9 @@ #include "zlib.h" #include "analyzer/protocols/tcp/TCP.h" -class ZIP_Analyzer : public TCP_SupportAnalyzer { +namespace analyzer { namespace zip { + +class ZIP_Analyzer : public tcp::TCP_SupportAnalyzer { public: enum Method { GZIP, DEFLATE }; @@ -26,4 +28,6 @@ protected: Method method; }; +} } // namespace analyzer::* + #endif diff --git a/src/bro.bif b/src/bro.bif index aa15443e64..aa8229f92d 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -4232,7 +4232,7 @@ function get_login_state%(cid: conn_id%): count if ( ! la ) return new Val(0, TYPE_BOOL); - return new Val(int(static_cast(la)->LoginState()), + return new Val(int(static_cast(la)->LoginState()), TYPE_COUNT); %} @@ -4257,7 +4257,7 @@ function set_login_state%(cid: conn_id, new_state: count%): bool if ( ! la ) return new Val(0, TYPE_BOOL); - static_cast(la)->SetLoginState(login_state(new_state)); + static_cast(la)->SetLoginState(analyzer::login::login_state(new_state)); return new Val(1, TYPE_BOOL); %} @@ -4286,7 +4286,7 @@ function get_orig_seq%(cid: conn_id%): count analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) - return new Val(static_cast(tc)->OrigSeq(), + return new Val(static_cast(tc)->OrigSeq(), TYPE_COUNT); else { @@ -4316,7 +4316,7 @@ function get_resp_seq%(cid: conn_id%): count analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) - return new Val(static_cast(tc)->RespSeq(), + return new Val(static_cast(tc)->RespSeq(), TYPE_COUNT); else { @@ -4338,7 +4338,7 @@ function skip_smtp_data%(c: connection%): any %{ analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); if ( sa ) - static_cast(sa)->SkipData(); + static_cast(sa)->SkipData(); return 0; %} diff --git a/src/event.bif b/src/event.bif index ab44495fdc..76c4ff09f5 100644 --- a/src/event.bif +++ b/src/event.bif @@ -1,7 +1,9 @@ -##! The events that the C/C++ core of Bro can generate. This is mostly -##! consisting of high-level network events that protocol analyzers detect, -##! but there are also several general-utility events generated by internal -##! Bro frameworks. +##! The protocol-independent events that the C/C++ core of Bro can generate. +##! +##! This is mostly events not related to a specific transport- or +##! application-layer protocol, but also includes a few that may be generated +##! by more than one protocols analyzer (like events generated by both UDP and +##! TCP analysis.) # # Documentation conventions: @@ -59,69 +61,6 @@ event bro_init%(%); ## is not generated. event bro_done%(%); -## Generated when an internal DNS lookup produces the same result as last time. -## Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when a subsequent lookup returns -## the same result as stored in the cache. -## -## dm: A record describing the new resolver result (which matches the old one). -## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified -event dns_mapping_valid%(dm: dns_mapping%); - -## Generated when an internal DNS lookup got no answer even though it had -## succeeded in the past. Bro keeps an internal DNS cache for host names and IP -## addresses it has already resolved. This event is generated when a -## subsequent lookup does not produce an answer even though we have -## already stored a result in the cache. -## -## dm: A record describing the old resolver result. -## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_valid -event dns_mapping_unverified%(dm: dns_mapping%); - -## Generated when an internal DNS lookup succeeded but an earlier attempt -## did not. Bro keeps an internal DNS cache for host names and IP -## addresses it has already resolved. This event is generated when a subsequent -## lookup produces an answer for a query that was marked as failed in the cache. -## -## dm: A record describing the new resolver result. -## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified -## dns_mapping_valid -event dns_mapping_new_name%(dm: dns_mapping%); - -## Generated when an internal DNS lookup returned zero answers even though it -## had succeeded in the past. Bro keeps an internal DNS cache for host names -## and IP addresses it has already resolved. This event is generated when -## on a subsequent lookup we receive an answer that is empty even -## though we have already stored a result in the cache. -## -## dm: A record describing the old resolver result. -## -## .. bro:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid -event dns_mapping_lost_name%(dm: dns_mapping%); - -## Generated when an internal DNS lookup produced a different result than in -## the past. Bro keeps an internal DNS cache for host names and IP addresses -## it has already resolved. This event is generated when a subsequent lookup -## returns a different answer than we have stored in the cache. -## -## dm: A record describing the new resolver result. -## -## old_addrs: Addresses that used to be part of the returned set for the query -## described by *dm*, but are not anymore. -## -## new_addrs: Addresses that were not part of the returned set for the query -## described by *dm*, but now are. -## -## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid -event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); - ## Generated for every new connection. This event is raised with the first ## packet of a previously unknown connection. Bro uses a flow-based definition ## of "connection" here that includes not only TCP sessions but also UDP and @@ -157,9 +96,10 @@ event new_connection%(c: connection%); ## e: The new encapsulation. event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); -## Generated when reassembly starts for a TCP connection. This event is raised -## at the moment when Bro's TCP analyzer enables stream reassembly for a -## connection. +## Generated when a TCP connection timed out. This event is raised when +## no activity was seen for an interval of at least +## :bro:id:`tcp_connection_linger`, and either one endpoint has already +## closed the connection or one side never became active. ## ## c: The connection. ## @@ -167,148 +107,18 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update connection_timeout -## scheduled_analyzer_applied new_connection partial_connection -event new_connection_contents%(c: connection%); - -## Generated for an unsuccessful connection attempt. This event is raised when -## an originator unsuccessfully attempted to establish a connection. -## "Unsuccessful" is defined as at least :bro:id:`tcp_attempt_delay` seconds -## having elapsed since the originator first sent a connection establishment -## packet to the destination without seeing a reply. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_established -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied +## connection_state_remove connection_status_update expected_connection_seen ## new_connection new_connection_contents partial_connection -event connection_attempt%(c: connection%); - -## Generated when a SYN-ACK packet is seen in response to a SYN packet during -## a TCP handshake. The final ACK of the handshake in response to SYN-ACK may -## or may not occur later, one way to tell is to check the *history* field of -## :bro:type:`connection` to see if the originator sent an ACK, indicated by -## 'A' in the history string. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_established%(c: connection%); - -## Generated for a new active TCP connection if Bro did not see the initial -## handshake. This event is raised when Bro has observed traffic from each -## endpoint, but the activity did not begin with the usual connection -## establishment. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update connection_timeout -## scheduled_analyzer_applied new_connection new_connection_contents -## -event partial_connection%(c: connection%); - -## Generated when a previously inactive endpoint attempts to close a TCP -## connection via a normal FIN handshake or an abort RST sequence. When the -## endpoint sent one of these packets, Bro waits -## :bro:id:`tcp_partial_close_delay` prior to generating the event, to give -## the other endpoint a chance to close the connection normally. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_partial_close%(c: connection%); - -## Generated for a TCP connection that finished normally. The event is raised -## when a regular FIN handshake from both endpoints was observed. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_finished%(c: connection%); - -## Generated when one endpoint of a TCP connection attempted to gracefully close -## the connection, but the other endpoint is in the TCP_INACTIVE state. This can -## happen due to split routing, in which Bro only sees one side of a connection. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_half_finished%(c: connection%); - -## Generated for a rejected TCP connection. This event is raised when an -## originator attempted to setup a TCP connection but the responder replied -## with a RST packet denying it. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## c: The connection. ## ## .. note:: ## -## If the responder does not respond at all, :bro:id:`connection_attempt` is -## raised instead. If the responder initially accepts the connection but -## aborts it later, Bro first generates :bro:id:`connection_established` -## and then :bro:id:`connection_reset`. -event connection_rejected%(c: connection%); - -## Generated when an endpoint aborted a TCP connection. The event is raised -## when one endpoint of an established TCP connection aborted by sending a RST -## packet. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_rejected connection_reused -## connection_state_remove connection_status_update connection_timeout -## scheduled_analyzer_applied new_connection new_connection_contents -## partial_connection -event connection_reset%(c: connection%); - -## Generated for each still-open connection when Bro terminates. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection bro_done -event connection_pending%(c: connection%); +## The precise semantics of this event can be unintuitive as it only +## covers a subset of cases where a connection times out. Often, handling +## :bro:id:`connection_state_remove` is the better option. That one will be +## generated reliably when an interval of ``tcp_inactivity_timeout`` has +## passed without any activity seen (but also for all other ways a +## connection may terminate). +event connection_timeout%(c: connection%); ## Generated when a connection's internal state is about to be removed from ## memory. Bro generates this event reliably once for every connection when it @@ -328,70 +138,6 @@ event connection_pending%(c: connection%); ## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats event connection_state_remove%(c: connection%); -## Generated for a SYN packet. Bro raises this event for every SYN packet seen -## by its TCP analyzer. -## -## c: The connection. -## -## pkt: Information extracted from the SYN packet. -## -## .. bro:see:: connection_EOF connection_attempt connection_established -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## .. note:: -## -## This event has quite low-level semantics and can potentially be expensive -## to generate. It should only be used if one really needs the specific -## information passed into the handler via the ``pkt`` argument. If not, -## handling one of the other ``connection_*`` events is typically the -## better approach. -event connection_SYN_packet%(c: connection, pkt: SYN_packet%); - -## Generated for the first ACK packet seen for a TCP connection from -## its *originator*. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## .. note:: -## -## This event has quite low-level semantics and should be used only rarely. -event connection_first_ACK%(c: connection%); - -## Generated when a TCP connection timed out. This event is raised when -## no activity was seen for an interval of at least -## :bro:id:`tcp_connection_linger`, and either one endpoint has already -## closed the connection or one side never became active. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## .. note:: -## -## The precise semantics of this event can be unintuitive as it only -## covers a subset of cases where a connection times out. Often, handling -## :bro:id:`connection_state_remove` is the better option. That one will be -## generated reliably when an interval of ``tcp_inactivity_timeout`` has -## passed without any activity seen (but also for all other ways a -## connection may terminate). -event connection_timeout%(c: connection%); - ## Generated when a connection 4-tuple is reused. This event is raised when Bro ## sees a new TCP session or UDP flow using a 4-tuple matching that of an ## earlier connection it still considers active. @@ -434,22 +180,6 @@ event connection_status_update%(c: connection%); ## .. bro:see:: connection_established new_connection event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: count, new_label: count%); -## Generated at the end of reassembled TCP connections. The TCP reassembler -## raised the event once for each endpoint of a connection when it finished -## reassembling the corresponding side of the communication. -## -## c: The connection. -## -## is_orig: True if the event is raised for the originator side. -## -## .. bro:see:: connection_SYN_packet connection_attempt connection_established -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_EOF%(c: connection, is_orig: bool%); - ## Generated for a new connection received from the communication subsystem. ## Remote peers can inject packets into Bro's packet loop, for example via ## :doc:`Broccoli `. The communication system @@ -460,6 +190,16 @@ event connection_EOF%(c: connection, is_orig: bool%); ## tag: TODO. event connection_external%(c: connection, tag: string%); +## Generated when a UDP session for a supported protocol has finished. Some of +## Bro's application-layer UDP analyzers flag the end of a session by raising +## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, +## Teredo, and GTPv1 support this. +## +## u: The connection record for the corresponding UDP flow. +## +## .. bro:see:: udp_contents udp_reply udp_request +event udp_session_done%(u: connection%); + ## Generated when a connection is seen that is marked as being expected. ## The function :bro:id:`expect_connection` tells Bro to expect a particular ## connection to come up, and which analyzer to associate with it. Once the @@ -522,135 +262,6 @@ event esp_packet%(p: pkt_hdr%); ## .. bro:see:: new_packet tcp_packet ipv6_ext_headers event mobile_ipv6_message%(p: pkt_hdr%); -## Generated for any IPv6 packet encapsulated in a Teredo tunnel. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_authentication teredo_origin_indication teredo_bubble -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_packet%(outer: connection, inner: teredo_hdr%); - -## Generated for IPv6 packets encapsulated in a Teredo tunnel that -## use the Teredo authentication encapsulation method. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_packet teredo_origin_indication teredo_bubble -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_authentication%(outer: connection, inner: teredo_hdr%); - -## Generated for IPv6 packets encapsulated in a Teredo tunnel that -## use the Teredo origin indication encapsulation method. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_packet teredo_authentication teredo_bubble -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); - -## Generated for Teredo bubble packets. That is, IPv6 packets encapsulated -## in a Teredo tunnel that have a Next Header value of :bro:id:`IPPROTO_NONE`. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_packet teredo_authentication teredo_origin_indication -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_bubble%(outer: connection, inner: teredo_hdr%); - -## Generated for any GTP message with a GTPv1 header. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -event gtpv1_message%(c: connection, hdr: gtpv1_hdr%); - -## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload -## that includes a GTP header followed by an IPv4 or IPv6 packet. -## -## outer: The GTP outer tunnel connection. -## -## inner_gtp: The GTP header. -## -## inner_ip: The inner IP and transport layer packet headers. -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%); - -## Generated for GTPv1-C Create PDP Context Request messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%); - -## Generated for GTPv1-C Create PDP Context Response messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%); - -## Generated for GTPv1-C Update PDP Context Request messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%); - -## Generated for GTPv1-C Update PDP Context Response messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%); - -## Generated for GTPv1-C Delete PDP Context Request messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%); - -## Generated for GTPv1-C Delete PDP Context Response messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%); - ## Generated for every packet that has a non-empty transport-layer payload. ## This is a very low-level and expensive event that should be avoided when ## at all possible. It's usually infeasible to handle when processing even @@ -665,85 +276,6 @@ event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gt ## .. bro:see:: new_packet tcp_packet event packet_contents%(c: connection, contents: string%); -## Generated for every TCP packet. This is a very low-level and expensive event -## that should be avoided when at all possible. It's usually infeasible to -## handle when processing even medium volumes of traffic in real-time. It's -## slightly better than :bro:id:`new_packet` because it affects only TCP, but -## not much. That said, if you work from a trace and want to do some -## packet-level analysis, it may come in handy. -## -## c: The connection the packet is part of. -## -## is_orig: True if the packet was sent by the connection's originator. -## -## flags: A string with the packet's TCP flags. In the string, each character -## corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN; -## ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH. -## -## seq: The packet's TCP sequence number. -## -## ack: The packet's ACK number. -## -## len: The length of the TCP payload, as specified in the packet header. -## -## payload: The raw TCP payload. Note that this may be shorter than *len* if -## the packet was not fully captured. -## -## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit -event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); - -## Generated for each option found in a TCP header. Like many of the ``tcp_*`` -## events, this is a very low-level event and potentially expensive as it may -## be raised very often. -## -## c: The connection the packet is part of. -## -## is_orig: True if the packet was sent by the connection's originator. -## -## opt: The numerical option number, as found in the TCP header. -## -## optlen: The length of the options value. -## -## .. bro:see:: tcp_packet tcp_contents tcp_rexmit -## -## .. note:: There is currently no way to get the actual option value, if any. -event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); - -## Generated for each chunk of reassembled TCP payload. When content delivery is -## enabled for a TCP connection (via :bro:id:`tcp_content_delivery_ports_orig`, -## :bro:id:`tcp_content_delivery_ports_resp`, -## :bro:id:`tcp_content_deliver_all_orig`, -## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk -## of in-order payload reconstructed from the packet stream. Note that this -## event is potentially expensive if many connections carry significant amounts -## of data as then all that data needs to be passed on to the scripting layer. -## -## c: The connection the payload is part of. -## -## is_orig: True if the packet was sent by the connection's originator. -## -## seq: The sequence number corresponding to the first byte of the payload -## chunk. -## -## contents: The raw payload, which will be non-empty. -## -## .. bro:see:: tcp_packet tcp_option tcp_rexmit -## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp -## tcp_content_deliver_all_resp tcp_content_deliver_all_orig -## -## .. note:: -## -## The payload received by this event is the same that is also passed into -## application-layer protocol analyzers internally. Subsequent invocations of -## this event for the same connection receive non-overlapping in-order chunks -## of its TCP payload stream. It is however undefined what size each chunk -## has; while Bro passes the data on as soon as possible, specifics depend on -## network-level effects such as latency, acknowledgements, reordering, etc. -event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); - -## TODO. -event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%); - ## Generated when Bro detects a TCP retransmission inconsistency. When ## reassembling a TCP stream, Bro buffers all payload until it sees the ## responder acking it. If during that time, the sender resends a chunk of @@ -831,7 +363,6 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); ## is exceeded. event gap_report%(dt: interval, info: gap_info%); - ## Generated when a protocol analyzer confirms that a connection is indeed ## using that protocol. Bro's dynamic protocol detection heuristically activates ## analyzers as soon as it believes a connection *could* be using a particular @@ -890,355 +421,6 @@ event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%); ## engine. event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%); -## Generated for each packet sent by a UDP flow's originator. This a potentially -## expensive event due to the volume of UDP traffic and should be used with -## care. -## -## u: The connection record for the corresponding UDP flow. -## -## .. bro:see:: udp_contents udp_reply udp_session_done -event udp_request%(u: connection%); - -## Generated for each packet sent by a UDP flow's responder. This a potentially -## expensive event due to the volume of UDP traffic and should be used with -## care. -## -## u: The connection record for the corresponding UDP flow. -## -## .. bro:see:: udp_contents udp_request udp_session_done -event udp_reply%(u: connection%); - -## Generated for UDP packets to pass on their payload. As the number of UDP -## packets can be very large, this event is normally raised only for those on -## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets -## sent by the flow's originator) or :bro:id:`udp_content_delivery_ports_resp` -## (for packets sent by the flow's responder). However, delivery can be enabled -## for all UDP request and reply packets by setting -## :bro:id:`udp_content_deliver_all_orig` or -## :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this -## event is also raised for all matching UDP packets, including empty ones. -## -## u: The connection record for the corresponding UDP flow. -## -## is_orig: True if the event is raised for the originator side. -## -## contents: TODO. -## -## .. bro:see:: udp_reply udp_request udp_session_done -## udp_content_deliver_all_orig udp_content_deliver_all_resp -## udp_content_delivery_ports_orig udp_content_delivery_ports_resp -event udp_contents%(u: connection, is_orig: bool, contents: string%); - -## Generated when a UDP session for a supported protocol has finished. Some of -## Bro's application-layer UDP analyzers flag the end of a session by raising -## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, -## Teredo, and GTPv1 support this. -## -## u: The connection record for the corresponding UDP flow. -## -## .. bro:see:: udp_contents udp_reply udp_request -event udp_session_done%(u: connection%); - -## Generated for all ICMP messages that are not handled separately with -## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages -## directly with dedicated events. This event acts as a fallback for those it -## doesn't. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard -## connection record *c*. -## -## .. bro:see:: icmp_error_message -event icmp_sent%(c: connection, icmp: icmp_conn%); - -## Generated for ICMP *echo request* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard -## connection record *c*. -## -## id: The *echo request* identifier. -## -## seq: The *echo request* sequence number. -## -## payload: The message-specific data of the packet payload, i.e., everything -## after the first 8 bytes of the ICMP header. -## -## .. bro:see:: icmp_echo_reply -event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); - -## Generated for ICMP *echo reply* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## id: The *echo reply* identifier. -## -## seq: The *echo reply* sequence number. -## -## payload: The message-specific data of the packet payload, i.e., everything -## after the first 8 bytes of the ICMP header. -## -## .. bro:see:: icmp_echo_request -event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); - -## Generated for all ICMPv6 error messages that are not handled -## separately with dedicated events. Bro's ICMP analyzer handles a number -## of ICMP error messages directly with dedicated events. This event acts -## as a fallback for those it doesn't. -## -## See `Wikipedia -## `__ for more -## information about the ICMPv6 protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard -## connection record *c*. -## -## code: The ICMP code of the error message. -## -## context: A record with specifics of the original packet that the message -## refers to. -## -## .. bro:see:: icmp_unreachable icmp_packet_too_big -## icmp_time_exceeded icmp_parameter_problem -event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMP *destination unreachable* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *unreachable* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Unreachable* messages should include the original IP -## header from the packet that triggered them, and Bro parses that -## into the *context* structure. Note that if the *unreachable* -## includes only a partial IP header for some reason, no -## fields of *context* will be filled out. -## -## .. bro:see:: icmp_error_message icmp_packet_too_big -## icmp_time_exceeded icmp_parameter_problem -event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMPv6 *packet too big* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMPv6 protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *too big* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Too big* messages should include the original IP header -## from the packet that triggered them, and Bro parses that into -## the *context* structure. Note that if the *too big* includes only -## a partial IP header for some reason, no fields of *context* will -## be filled out. -## -## .. bro:see:: icmp_error_message icmp_unreachable -## icmp_time_exceeded icmp_parameter_problem -event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMP *time exceeded* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *exceeded* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Unreachable* messages should include the original IP -## header from the packet that triggered them, and Bro parses that -## into the *context* structure. Note that if the *exceeded* includes -## only a partial IP header for some reason, no fields of *context* -## will be filled out. -## -## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big -## icmp_parameter_problem -event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMPv6 *parameter problem* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMPv6 protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *parameter problem* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Parameter problem* messages should include the original -## IP header from the packet that triggered them, and Bro parses that -## into the *context* structure. Note that if the *parameter problem* -## includes only a partial IP header for some reason, no fields -## of *context* will be filled out. -## -## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big -## icmp_time_exceeded -event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMP *router solicitation* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_advertisement -## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect -event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%); - -## Generated for ICMP *router advertisement* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## cur_hop_limit: The default value that should be placed in Hop Count field -## for outgoing IP packets. -## -## managed: Managed address configuration flag, :rfc:`4861`. -## -## other: Other stateful configuration flag, :rfc:`4861`. -## -## home_agent: Mobile IPv6 home agent flag, :rfc:`3775`. -## -## pref: Router selection preferences, :rfc:`4191`. -## -## proxy: Neighbor discovery proxy flag, :rfc:`4389`. -## -## rsv: Remaining two reserved bits of router advertisement flags. -## -## router_lifetime: How long this router should be used as a default router. -## -## reachable_time: How long a neighbor should be considered reachable. -## -## retrans_timer: How long a host should wait before retransmitting. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation -## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect -event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); - -## Generated for ICMP *neighbor solicitation* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## tgt: The IP address of the target of the solicitation. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement -## icmp_neighbor_advertisement icmp_redirect -event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%); - -## Generated for ICMP *neighbor advertisement* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## router: Flag indicating the sender is a router. -## -## solicited: Flag indicating advertisement is in response to a solicitation. -## -## override: Flag indicating advertisement should override existing caches. -## -## tgt: the Target Address in the soliciting message or the address whose -## link-layer address has changed for unsolicited adverts. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement -## icmp_neighbor_solicitation icmp_redirect -event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); - -## Generated for ICMP *redirect* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## tgt: The address that is supposed to be a better first hop to use for -## ICMP Destination Address. -## -## dest: The address of the destination which is redirected to the target. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement -## icmp_neighbor_solicitation icmp_neighbor_advertisement -event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%); - ## Generated when a TCP connection terminated, passing on statistics about the ## two endpoints. This event is always generated when Bro flushes the internal ## connection state, independent of how a connection terminates. @@ -1329,4505 +511,6 @@ event net_weird%(name: string%); ## dmem: The difference in memory usage caused by processing the sampled packet. event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%); -## Generated for ARP requests. -## -## See `Wikipedia `__ -## for more information about the ARP protocol. -## -## mac_src: The request's source MAC address. -## -## mac_dst: The request's destination MAC address. -## -## SPA: The sender protocol address. -## -## SHA: The sender hardware address. -## -## TPA: The target protocol address. -## -## THA: The target hardware address. -## -## .. bro:see:: arp_reply bad_arp -event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, - TPA: addr, THA: string%); - -## Generated for ARP replies. -## -## See `Wikipedia `__ -## for more information about the ARP protocol. -## -## mac_src: The reply's source MAC address. -## -## mac_dst: The reply's destination MAC address. -## -## SPA: The sender protocol address. -## -## SHA: The sender hardware address. -## -## TPA: The target protocol address. -## -## THA: The target hardware address. -## -## .. bro:see:: arp_request bad_arp -event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, - TPA: addr, THA: string%); - -## Generated for ARP packets that Bro cannot interpret. Examples are packets -## with non-standard hardware address formats or hardware addresses that do not -## match the originator of the packet. -## -## SPA: The sender protocol address. -## -## SHA: The sender hardware address. -## -## TPA: The target protocol address. -## -## THA: The target hardware address. -## -## explanation: A short description of why the ARP packet is considered "bad". -## -## .. bro:see:: arp_reply arp_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_handshake%(c: connection, is_orig: bool, - reserved: string, info_hash: string, peer_id: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bittorrent_peer_choke%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request -## bittorrent_peer_unknown bittorrent_peer_weird -event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_interested%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake -## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, - begin: count, length: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, - begin: count, piece_length: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, - begin: count, length: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_weird -event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, - data: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown -event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_request%(c: connection, uri: string, - headers: bt_tracker_headers%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_response%(c: connection, status: count, - headers: bt_tracker_headers, - peers: bittorrent_peer_set, - benc: bittorrent_benc_dir%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_response_not_ok%(c: connection, status: count, - headers: bt_tracker_headers%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%); - -## Generated for Finger requests. -## -## See `Wikipedia `__ for more -## information about the Finger protocol. -## -## c: The connection. -## -## full: True if verbose information is requested (``/W`` switch). -## -## username: The request's user name. -## -## hostname: The request's host name. -## -## .. bro:see:: finger_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event finger_request%(c: connection, full: bool, username: string, hostname: string%); - -## Generated for Finger replies. -## -## See `Wikipedia `__ for more -## information about the Finger protocol. -## -## c: The connection. -## -## reply_line: The reply as returned by the server -## -## .. bro:see:: finger_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event finger_reply%(c: connection, reply_line: string%); - - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found -## -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_text_msg%(c: connection, orig: bool, headers: string%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, - ttl: count, hops: count, msg_len: count, - payload: string, payload_len: count, - trunc: bool, complete: bool%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_not_establish gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_partial_binary_msg%(c: connection, orig: bool, - msg: string, len: count%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_establish%(c: connection%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_not_establish%(c: connection%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_http_notify%(c: connection%); - -## Generated for Ident requests. -## -## See `Wikipedia `__ for more -## information about the Ident protocol. -## -## c: The connection. -## -## lport: The request's local port. -## -## rport: The request's remote port. -## -## .. bro:see:: ident_error ident_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ident_request%(c: connection, lport: port, rport: port%); - -## Generated for Ident replies. -## -## See `Wikipedia `__ for more -## information about the Ident protocol. -## -## c: The connection. -## -## lport: The corresponding request's local port. -## -## rport: The corresponding request's remote port. -## -## user_id: The user id returned by the reply. -## -## system: The operating system returned by the reply. -## -## .. bro:see:: ident_error ident_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%); - -## Generated for Ident error replies. -## -## See `Wikipedia `__ for more -## information about the Ident protocol. -## -## c: The connection. -## -## lport: The corresponding request's local port. -## -## rport: The corresponding request's remote port. -## -## line: The error description returned by the reply. -## -## .. bro:see:: ident_reply ident_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ident_error%(c: connection, lport: port, rport: port, line: string%); - -## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects -## Telnet/Rlogin sessions to heuristically extract username and password -## information as well as the text returned by the login server. This event is -## raised if a login attempt appears to have been unsuccessful. -## -## c: The connection. -## -## user: The user name tried. -## -## client_user: For Telnet connections, this is an empty string, but for Rlogin -## connections, it is the client name passed in the initial authentication -## information (to check against .rhosts). -## -## password: The password tried. -## -## line: The line of text that led the analyzer to conclude that the -## authentication had failed. -## -## .. bro:see:: login_confused login_confused_text login_display login_input_line -## login_output_line login_prompt login_success login_terminal direct_login_prompts -## get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs -## login_timeouts set_login_state -## -## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying login attempts. This -## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and -## the analyzer is therefore not directly usable at the moment. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); - -## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects -## Telnet/Rlogin sessions to heuristically extract username and password -## information as well as the text returned by the login server. This event is -## raised if a login attempt appears to have been successful. -## -## c: The connection. -## -## user: The user name used. -## -## client_user: For Telnet connections, this is an empty string, but for Rlogin -## connections, it is the client name passed in the initial authentication -## information (to check against .rhosts). -## -## password: The password used. -## -## line: The line of text that led the analyzer to conclude that the -## authentication had succeeded. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_output_line login_prompt login_terminal -## direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs -## login_prompts login_success_msgs login_timeouts set_login_state -## -## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying login attempts. This -## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and -## the analyzer is therefore not directly usable at the moment. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); - -## Generated for lines of input on Telnet/Rlogin sessions. The line will have -## control characters (such as in-band Telnet options) removed. -## -## c: The connection. -## -## line: The input line. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_output_line login_prompt login_success login_terminal rsh_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_input_line%(c: connection, line: string%); - -## Generated for lines of output on Telnet/Rlogin sessions. The line will have -## control characters (such as in-band Telnet options) removed. -## -## c: The connection. -## -## line: The ouput line. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_prompt login_success login_terminal rsh_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_output_line%(c: connection, line: string%); - -## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's -## *login* analyzer uses a number of heuristics to extract authentication -## information, it may become confused. If it can no longer correctly track -## the authentication dialog, it raises this event. -## -## c: The connection. -## -## msg: Gives the particular problem the heuristics detected (for example, -## ``multiple_login_prompts`` means that the engine saw several login -## prompts in a row, without the type-ahead from the client side presumed -## necessary to cause them) -## -## line: The line of text that caused the heuristics to conclude they were -## confused. -## -## .. bro:see:: login_confused_text login_display login_failure login_input_line login_output_line -## login_prompt login_success login_terminal direct_login_prompts get_login_state -## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs -## login_timeouts set_login_state -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_confused%(c: connection, msg: string, line: string%); - -## Generated after getting confused while tracking a Telnet/Rlogin -## authentication dialog. The *login* analyzer generates this even for every -## line of user input after it has reported :bro:id:`login_confused` for a -## connection. -## -## c: The connection. -## -## line: The line the user typed. -## -## .. bro:see:: login_confused login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal direct_login_prompts -## get_login_state login_failure_msgs login_non_failure_msgs login_prompts -## login_success_msgs login_timeouts set_login_state -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_confused_text%(c: connection, line: string%); - -## Generated for clients transmitting a terminal type in a Telnet session. This -## information is extracted out of environment variables sent as Telnet options. -## -## c: The connection. -## -## terminal: The TERM value transmitted. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_output_line login_prompt login_success -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_terminal%(c: connection, terminal: string%); - -## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This -## information is extracted out of environment variables sent as Telnet options. -## -## c: The connection. -## -## display: The DISPLAY transmitted. -## -## .. bro:see:: login_confused login_confused_text login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_display%(c: connection, display: string%); - -## Generated when a Telnet authentication has been successful. The Telnet -## protocol includes options for negotiating authentication. When such an -## option is sent from client to server and the server replies that it accepts -## the authentication, then the event engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## name: The authenticated name. -## -## c: The connection. -## -## .. bro:see:: authentication_rejected authentication_skipped login_success -## -## .. note:: This event inspects the corresponding Telnet option -## while :bro:id:`login_success` heuristically determines success by watching -## session data. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event authentication_accepted%(name: string, c: connection%); - -## Generated when a Telnet authentication has been unsuccessful. The Telnet -## protocol includes options for negotiating authentication. When such an option -## is sent from client to server and the server replies that it did not accept -## the authentication, then the event engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## name: The attempted authentication name. -## -## c: The connection. -## -## .. bro:see:: authentication_accepted authentication_skipped login_failure -## -## .. note:: This event inspects the corresponding Telnet option -## while :bro:id:`login_success` heuristically determines failure by watching -## session data. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event authentication_rejected%(name: string, c: connection%); - -## Generated for Telnet/Rlogin sessions when a pattern match indicates -## that no authentication is performed. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts -## get_login_state login_failure_msgs login_non_failure_msgs login_prompts -## login_success_msgs login_timeouts set_login_state -## -## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying activity. This -## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and -## the analyzer is therefore not directly usable at the moment. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event authentication_skipped%(c: connection%); - -## Generated for clients transmitting a terminal prompt in a Telnet session. -## This information is extracted out of environment variables sent as Telnet -## options. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## prompt: The TTYPROMPT transmitted. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_output_line login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_prompt%(c: connection, prompt: string%); - -## Generated for Telnet sessions when encryption is activated. The Telnet -## protocol includes options for negotiating encryption. When such a series of -## options is successfully negotiated, the event engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped -## login_confused login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -event activating_encryption%(c: connection%); - -## Generated for an inconsistent Telnet option. Telnet options are specified -## by the client and server stating which options they are willing to -## support vs. which they are not, and then instructing one another which in -## fact they should or should not use for the current connection. If the event -## engine sees a peer violate either what the other peer has instructed it to -## do, or what it itself offered in terms of options in the past, then the -## engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: bad_option bad_option_termination authentication_accepted -## authentication_rejected authentication_skipped login_confused -## login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -event inconsistent_option%(c: connection%); - -## Generated for an ill-formed or unrecognized Telnet option. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted -## authentication_rejected authentication_skipped login_confused -## login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event bad_option%(c: connection%); - -## Generated for a Telnet option that's incorrectly terminated. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: inconsistent_option bad_option authentication_accepted -## authentication_rejected authentication_skipped login_confused -## login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event bad_option_termination%(c: connection%); - -## Generated for client side commands on an RSH connection. -## -## See `RFC 1258 `__ for more information -## about the Rlogin/Rsh protocol. -## -## c: The connection. -## -## client_user: The client-side user name as sent in the initial protocol -## handshake. -## -## server_user: The server-side user name as sent in the initial protocol -## handshake. -## -## line: The command line sent in the request. -## -## new_session: True if this is the first command of the Rsh session. -## -## .. bro:see:: rsh_reply login_confused login_confused_text login_display -## login_failure login_input_line login_output_line login_prompt login_success -## login_terminal -## -## .. note:: For historical reasons, these events are separate from the -## ``login_`` events. Ideally, they would all be handled uniquely. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%); - -## Generated for client side commands on an RSH connection. -## -## See `RFC 1258 `__ for more information -## about the Rlogin/Rsh protocol. -## -## c: The connection. -## -## client_user: The client-side user name as sent in the initial protocol -## handshake. -## -## server_user: The server-side user name as sent in the initial protocol -## handshake. -## -## line: The command line sent in the request. -## -## .. bro:see:: rsh_request login_confused login_confused_text login_display -## login_failure login_input_line login_output_line login_prompt login_success -## login_terminal -## -## .. note:: For historical reasons, these events are separate from the -## ``login_`` events. Ideally, they would all be handled uniquely. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%); - -## Generated for client-side FTP commands. -## -## See `Wikipedia `__ for -## more information about the FTP protocol. -## -## c: The connection. -## -## command: The FTP command issued by the client (without any arguments). -## -## arg: The arguments going with the command. -## -## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port -## parse_ftp_epsv parse_ftp_pasv parse_ftp_port -event ftp_request%(c: connection, command: string, arg: string%); - -## Generated for server-side FTP replies. -## -## See `Wikipedia `__ for -## more information about the FTP protocol. -## -## c: The connection. -## -## code: The numerical response code the server responded with. -## -## msg: The textual message of the response. -## -## cont_resp: True if the reply line is tagged as being continued to the next -## line. If so, further events will be raised and a handler may want -## to reassemble the pieces before processing the response any -## further. -## -## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port -## parse_ftp_epsv parse_ftp_pasv parse_ftp_port -event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%); - -## Generated for client-side SMTP commands. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the command is the originator of the TCP -## connection. Note that this is not redundant: the SMTP ``TURN`` command -## allows client and server to flip roles on established SMTP sessions, -## and hence a "request" might still come from the TCP-level responder. -## In practice, however, that will rarely happen as TURN is considered -## insecure and rarely used. -## -## command: The request's command, without any arguments. -## -## arg: The request command's arguments. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data -## smtp_data smtp_reply -## -## .. note:: Bro does not support the newer ETRN extension yet. -event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%); - -## Generated for server-side SMTP commands. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the command is the originator of the TCP -## connection. Note that this is not redundant: the SMTP ``TURN`` command -## allows client and server to flip roles on established SMTP sessions, -## and hence a "reply" might still come from the TCP-level originator. In -## practice, however, that will rarely happen as TURN is considered -## insecure and rarely used. -## -## code: The reply's numerical code. -## -## cmd: TODO. -## -## msg: The reply's textual description. -## -## cont_resp: True if the reply line is tagged as being continued to the next -## line. If so, further events will be raised and a handler may want to -## reassemble the pieces before processing the response any further. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data -## smtp_data smtp_request -## -## .. note:: Bro doesn't support the newer ETRN extension yet. -event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%); - -## Generated for DATA transmitted on SMTP sessions. This event is raised for -## subsequent chunks of raw data following the ``DATA`` SMTP command until the -## corresponding end marker ``.`` is seen. A handler may want to reassemble -## the pieces as they come in if stream-analysis is required. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the data is the originator of the TCP -## connection. -## -## data: The raw data. Note that the size of each chunk is undefined and -## depends on specifics of the underlying TCP connection. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data -## smtp_reply smtp_request skip_smtp_data -## -## .. note:: This event receives the unprocessed raw data. There is a separate -## set of ``mime_*`` events that strip out the outer MIME-layer of emails and -## provide structured access to their content. -event smtp_data%(c: connection, is_orig: bool, data: string%); - -## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks -## the state of SMTP sessions and reports commands and other activity with this -## event that it sees even though it would not expect so at the current point -## of the communication. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the unexpected activity is the originator of -## the TCP connection. -## -## msg: A descriptive message of what was unexpected. -## -## detail: The actual SMTP line triggering the event. -## -## .. bro:see:: smtp_data smtp_request smtp_reply -event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); - -## Generated when starting to parse an email MIME entity. MIME is a -## protocol-independent data format for encoding text and files, along with -## corresponding metadata, for transmission. Bro raises this event when it -## begins parsing a MIME entity extracted from an email protocol. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## .. bro:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data -## http_begin_entity -## -## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, -## however, it raises :bro:id:`http_begin_entity` instead. -event mime_begin_entity%(c: connection%); - -## Generated when finishing parsing an email MIME entity. MIME is a -## protocol-independent data format for encoding text and files, along with -## corresponding metadata, for transmission. Bro raises this event when it -## finished parsing a MIME entity extracted from an email protocol. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data -## http_end_entity -## -## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, -## however, it raises :bro:id:`http_end_entity` instead. -event mime_end_entity%(c: connection%); - -## Generated for individual MIME headers extracted from email MIME -## entities. MIME is a protocol-independent data format for encoding text and -## files, along with corresponding metadata, for transmission. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## h: The parsed MIME header. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_segment_data -## http_header http_all_headers -## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_header` instead. -event mime_one_header%(c: connection, h: mime_header_rec%); - -## Generated for MIME headers extracted from email MIME entities, passing all -## headers at once. MIME is a protocol-independent data format for encoding -## text and files, along with corresponding metadata, for transmission. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## hlist: A *table* containing all headers extracted from the current entity. -## The table is indexed by the position of the header (1 for the first, -## 2 for the second, etc.). -## -## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data -## http_header http_all_headers -## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_header` instead. -event mime_all_headers%(c: connection, hlist: mime_header_list%); - -## Generated for chunks of decoded MIME data from email MIME entities. MIME -## is a protocol-independent data format for encoding text and files, along with -## corresponding metadata, for transmission. As Bro parses the data of an -## entity, it raises a sequence of these events, each coming as soon as a new -## chunk of data is available. In contrast, there is also -## :bro:id:`mime_entity_data`, which passes all of an entities data at once -## in a single block. While the latter is more convenient to handle, -## ``mime_segment_data`` is more efficient as Bro does not need to buffer -## the data. Thus, if possible, this event should be preferred. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## length: The length of *data*. -## -## data: The raw data of one segment of the current entity. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data -## mime_segment_length mime_segment_overlap_length -## -## .. note:: Bro also extracts MIME data from HTTP sessions. For those, -## however, it raises :bro:id:`http_entity_data` (sic!) instead. -event mime_segment_data%(c: connection, length: count, data: string%); - -## Generated for data decoded from an email MIME entity. This event delivers -## the complete content of a single MIME entity. In contrast, there is also -## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as -## they come in. While ``mime_entity_data`` is more convenient to handle, -## ``mime_segment_data`` is more efficient as Bro does not need to buffer the -## data. Thus, if possible, the latter should be preferred. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## length: The length of *data*. -## -## data: The raw data of the complete entity. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_event mime_one_header mime_segment_data -## -## .. note:: While Bro also decodes MIME entities extracted from HTTP -## sessions, there's no corresponding event for that currently. -event mime_entity_data%(c: connection, length: count, data: string%); - -## Generated for passing on all data decoded from a single email MIME -## message. If an email message has more than one MIME entity, this event -## combines all their data into a single value for analysis. Note that because -## of the potentially significant buffering necessary, using this event can be -## expensive. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## length: The length of *data*. -## -## data: The raw data of all MIME entities concatenated. -## -## .. bro:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data -## -## .. note:: While Bro also decodes MIME entities extracted from HTTP -## sessions, there's no corresponding event for that currently. -event mime_all_data%(c: connection, length: count, data: string%); - -## Generated for errors found when decoding email MIME entities. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## event_type: A string describing the general category of the problem found -## (e.g., ``illegal format``). -## -## detail: Further more detailed description of the error. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event -## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_event` instead. -event mime_event%(c: connection, event_type: string, detail: string%); - -## Generated for decoded MIME entities extracted from email messages, passing on -## their MD5 checksums. Bro computes the MD5 over the complete decoded data of -## each MIME entity. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## content_len: The length of the entity being hashed. -## -## hash_value: The MD5 hash. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data -## -## .. note:: While Bro also decodes MIME entities extracted from HTTP -## sessions, there's no corresponding event for that currently. -event mime_content_hash%(c: connection, content_len: count, hash_value: string%); - -## Generated for RPC request/reply *pairs*. The RPC analyzer associates request -## and reply by their transaction identifiers and raises this event once both -## have been seen. If there's not a reply, this event will still be generated -## eventually on timeout. In that case, *status* will be set to -## :bro:enum:`RPC_TIMEOUT`. -## -## See `Wikipedia `__ for more information -## about the ONC RPC protocol. -## -## c: The connection. -## -## prog: The remote program to call. -## -## ver: The version of the remote program to call. -## -## proc: The procedure of the remote program to call. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## start_time: The time when the *call* was seen. -## -## call_len: The size of the *call_body* PDU. -## -## reply_len: The size of the *reply_body* PDU. -## -## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); - -## Generated for RPC *call* messages. -## -## See `Wikipedia `__ for more information -## about the ONC RPC protocol. -## -## c: The connection. -## -## xid: The transaction identifier allowing to match requests with replies. -## -## prog: The remote program to call. -## -## ver: The version of the remote program to call. -## -## proc: The procedure of the remote program to call. -## -## call_len: The size of the *call_body* PDU. -## -## .. bro:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); - -## Generated for RPC *reply* messages. -## -## See `Wikipedia `__ for more information -## about the ONC RPC protocol. -## -## c: The connection. -## -## xid: The transaction identifier allowing to match requests with replies. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## reply_len: The size of the *reply_body* PDU. -## -## .. bro:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); - -## Generated for Portmapper requests of type *null*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_null%(r: connection%); - -## Generated for Portmapper request/reply dialogues of type *set*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## m: The argument to the request. -## -## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request -## times out. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_set%(r: connection, m: pm_mapping, success: bool%); - -## Generated for Portmapper request/reply dialogues of type *unset*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## m: The argument to the request. -## -## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request -## times out. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_set rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); - -## Generated for Portmapper request/reply dialogues of type *getport*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## pr: The argument to the request. -## -## p: The port returned by the server. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); - -## Generated for Portmapper request/reply dialogues of type *dump*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## m: The mappings returned by the server. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_dump%(r: connection, m: pm_mappings%); - -## Generated for Portmapper request/reply dialogues of type *callit*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## call: The argument to the request. -## -## p: The port value returned by the call. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); - -## Generated for failed Portmapper requests of type *null*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_null%(r: connection, status: rpc_status%); - -## Generated for failed Portmapper requests of type *set*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## m: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); - -## Generated for failed Portmapper requests of type *unset*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## m: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); - -## Generated for failed Portmapper requests of type *getport*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## pr: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%); - -## Generated for failed Portmapper requests of type *dump*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_getport pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_dump%(r: connection, status: rpc_status%); - -## Generated for failed Portmapper requests of type *callit*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## call: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_dump pm_attempt_getport pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); - -## Generated for Portmapper requests or replies that include an invalid port -## number. Since ports are represented by unsigned 4-byte integers, they can -## stray outside the allowed range of 0--65535 by being >= 65536. If so, this -## event is generated. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## bad_p: The invalid port value. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_set -## pm_request_unset rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_bad_port%(r: connection, bad_p: count%); - -## Generated for NFSv3 request/reply dialogues of type *null*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_read nfs_proc_readdir nfs_proc_readlink -## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_null%(c: connection, info: NFS3::info_t%); - -## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## fh: TODO. -## -## attrs: The attributes returned in the reply. The values may not be valid if -## the request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply file_mode -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); - -## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: The arguments passed in the request. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *read*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: The arguments passed in the request. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir -## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply -## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## fh: The file handle passed in the request. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *write*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_reply_status rpc_call -## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only -## NFS3::return_data_max -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *create*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *remove*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink -## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); - -## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 -## analyzer does not implement. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## proc: The procedure called that Bro does not implement. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove -## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); - -## Generated for each NFSv3 reply message received, reporting just the -## status included. -## -## n: The connection. -## -## info: Reports the status included in the reply. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_reply_status%(n: connection, info: NFS3::info_t%); - -## Generated for all NTP messages. Different from many other of Bro's events, -## this one is generated for both client-side and server-side messages. -## -## See `Wikipedia `__ for -## more information about the NTP protocol. -## -## u: The connection record describing the corresponding UDP flow. -## -## msg: The parsed NTP message. -## -## excess: The raw bytes of any optional parts of the NTP packet. Bro does not -## further parse any optional fields. -## -## .. bro:see:: ntp_session_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ntp_message%(u: connection, msg: ntp_msg, excess: string%); - -## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite -## its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## msg_type: The general type of message, as defined in Section 4.3.1 of -## `RFC 1002 `__. -## -## data_len: The length of the message's payload. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_raw_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); - -## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS -## analyzer processes the NetBIOS session service running on TCP port 139, and -## (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_raw_message netbios_session_rejected -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_request%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *positive session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port -## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_keepalive netbios_session_message -## netbios_session_raw_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_accepted%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *negative session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port -## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_raw_message netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_rejected%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *session message* that are not -## carrying an SMB payload. -## -## NetBIOS analyzer processes the NetBIOS session service running on TCP port -## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header (i.e., the ``user_data``). -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: This is an oddly named event. In fact, it's probably an odd event -## to have to begin with. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); - -## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS -## analyzer processes the NetBIOS session service running on TCP port 139, and -## (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_raw_message netbios_session_rejected -## netbios_session_request decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: This is an oddly named event. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_ret_arg_resp%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite -## its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_message -## netbios_session_raw_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_keepalive%(c: connection, msg: string%); - -## Generated for all SMB/CIFS messages. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## is_orig: True if the message was sent by the originator of the underlying -## transport-level connection. -## -## cmd: A string mnemonic of the SMB command code. -## -## body_length: The length of the SMB message body, i.e. the data starting after -## the SMB header. -## -## body: The raw SMB message body, i.e., the data starting after the SMB header. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error -## smb_get_dfs_referral -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%); - -## Generated for SMB/CIFS messages of type *tree connect andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## path: The ``path`` attribute specified in the message. -## -## service: The ``service`` attribute specified in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%); - -## Generated for SMB/CIFS messages of type *tree disconnect*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *nt create andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## name: The ``name`` attribute specified in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); - -## Generated for SMB/CIFS messages of type *nt transaction*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe -## smb_com_trans_rap smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *nt transaction 2*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe -## smb_com_trans_rap smb_com_transaction smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *transaction mailslot*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *transaction rap*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error -## smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *transaction pipe*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *read andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## data: Always empty. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); - -## Generated for SMB/CIFS messages of type *read andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## data: Always empty. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_error -## smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); - -## Generated for SMB/CIFS messages of type *get dfs referral*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## max_referral_level: The ``max_referral_level`` attribute specified in the -## message. -## -## file_name: The ``filene_name`` attribute specified in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%); - -## Generated for SMB/CIFS messages of type *negotiate*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx -## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction -## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect -## smb_com_write_andx smb_error smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_negotiate%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *negotiate response*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## dialect_index: The ``dialect`` indicated in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx -## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction -## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect -## smb_com_write_andx smb_error smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%); - -## Generated for SMB/CIFS messages of type *setup andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *generic andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_logoff_andx smb_com_negotiate -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *close*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_generic_andx smb_com_logoff_andx smb_com_negotiate -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_close%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *logoff andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_negotiate -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages that indicate an error. This event is -## triggered by an SMB header including a status that signals an error. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## cmd: The SMB command code. -## -## cmd_str: A string mnemonic of the SMB command code. -## -## data: The raw SMB message body, i.e., the data starting after the SMB header. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx -## smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%); - -## Generated for all DNS messages. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## msg: The parsed DNS message header. -## -## len: The length of the message's raw representation (i.e., the DNS payload). -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected -## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%); - -## Generated for DNS requests. For requests with multiple queries, this event -## is raised once for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); - -## Generated for DNS replies that reject a query. This event is raised if a DNS -## reply either indicates failure via its status code or does not pass on any -## answers to a query. Note that all of the event's parameters are parsed out of -## the reply; there's no stateful correlation with the query. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); - -## Generated for DNS replies with an *ok* status code but no question section. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_rejected -## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_query_reply%(c: connection, msg: dns_msg, query: string, - qtype: count, qclass: count%); - -## Generated when the DNS analyzer processes what seems to be a non-DNS packet. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The raw DNS payload. -## -## .. note:: This event is deprecated and superseded by Bro's dynamic protocol -## detection framework. -event non_dns_request%(c: connection, msg: string%); - -## Generated for DNS replies of type *A*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## a: The address returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply -## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); - -## Generated for DNS replies of type *AAAA*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## a: The address returned by the reply. -## -## .. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); - -## Generated for DNS replies of type *A6*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## a: The address returned by the reply. -## -## .. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); - -## Generated for DNS replies of type *NS*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); - -## Generated for DNS replies of type *CNAME*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); - -## Generated for DNS replies of type *PTR*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); - -## Generated for DNS replies of type *CNAME*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## soa: The parsed SOA value. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%); - -## Generated for DNS replies of type *WKS*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%); - -## Generated for DNS replies of type *HINFO*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%); - -## Generated for DNS replies of type *MX*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## preference: The preference for *name* specified by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%); - -## Generated for DNS replies of type *TXT*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## str: The textual information returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%); - -## Generated for DNS replies of type *SRV*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%); - -## Generated for DNS replies of type *EDNS*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The parsed EDNS reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); - -## Generated for DNS replies of type *TSIG*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The parsed TSIG reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%); - -## Generated at the end of processing a DNS packet. This event is the last -## ``dns_*`` event that will be raised for a DNS query/reply and signals that -## all resource records have been passed on. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_end%(c: connection, msg: dns_msg%); - -## Generated for DHCP messages of type *discover*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## req_addr: The specific address requested by the client. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); - -## Generated for DHCP messages of type *offer*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: TODO. -## -## mask: The subnet mask specified by the message. -## -## router: The list of routers specified by the message. -## -## lease: The least interval specified by the message. -## -## serv_addr: The server address specified by the message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); - -## Generated for DHCP messages of type *request*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## req_addr: The client address specified by the message. -## -## serv_addr: The server address specified by the message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%); - -## Generated for DHCP messages of type *decline*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_decline%(c: connection, msg: dhcp_msg%); - -## Generated for DHCP messages of type *acknowledgment*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## mask: The subnet mask specified by the message. -## -## router: The list of routers specified by the message. -## -## lease: The least interval specified by the message. -## -## serv_addr: The server address specified by the message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); - -## Generated for DHCP messages of type *negative acknowledgment*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_nak%(c: connection, msg: dhcp_msg%); - -## Generated for DHCP messages of type *release*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_release%(c: connection, msg: dhcp_msg%); - -## Generated for DHCP messages of type *inform*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_inform%(c: connection, msg: dhcp_msg%); - -## Generated when seeing an SSH client's version identification. The SSH -## protocol starts with a clear-text handshake message that reports client and -## server protocol/software versions. This event provides access to what the -## client sent. -## -## -## See `Wikipedia `__ for more -## information about the SSH protocol. -## -## c: The connection. -## -## version: The version string the client sent (e.g., `SSH-2.0-libssh-0.11`). -## -## .. bro:see:: ssh_server_version -## -## .. note:: As everything after the initial version handshake proceeds -## encrypted, Bro cannot further analyze SSH sessions. -event ssh_client_version%(c: connection, version: string%); - -## Generated when seeing an SSH server's version identification. The SSH -## protocol starts with a clear-text handshake message that reports client and -## server protocol/software versions. This event provides access to what the -## server sent. -## -## See `Wikipedia `__ for more -## information about the SSH protocol. -## -## c: The connection. -## -## version: The version string the server sent (e.g., -## ``SSH-1.99-OpenSSH_3.9p1``). -## -## .. bro:see:: ssh_client_version -## -## .. note:: As everything coming after the initial version handshake proceeds -## encrypted, Bro cannot further analyze SSH sessions. -event ssh_server_version%(c: connection, version: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_bind%(c: connection, uuid: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_request%(c: connection, opnum: count, stub: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message -## dce_rpc_request rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_response%(c: connection, opnum: count, stub: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message -## dce_rpc_request dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); - -## Generated for NCP requests (Netware Core Protocol). -## -## See `Wikipedia `__ for -## more information about the NCP protocol. -## -## c: The connection. -## -## frame_type: The frame type, as specified by the protocol. -## -## length: The length of the request body, excluding the frame header. -## -## func: The requested function, as specified by the protocol. -## -## .. bro:see:: ncp_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ncp_request%(c: connection, frame_type: count, length: count, func: count%); - -## Generated for NCP replies (Netware Core Protocol). -## -## See `Wikipedia `__ for -## more information about the NCP protocol. -## -## c: The connection. -## -## frame_type: The frame type, as specified by the protocol. -## -## length: The length of the request body, excluding the frame header. -## -## req_frame: The frame type from the corresponding request. -## -## req_func: The function code from the corresponding request. -## -## completion_code: The reply's completion code, as specified by the protocol. -## -## .. bro:see:: ncp_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%); - -## Generated for client-side commands on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## command: The command sent. -## -## arg: The argument to the command. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply -## pop3_terminate pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_request%(c: connection, is_orig: bool, - command: string, arg: string%); - -## Generated for server-side replies to commands on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## cmd: The success indicator sent by the server. This corresponds to the -## first token on the line sent, and should be either ``OK`` or ``ERR``. -## -## msg: The textual description the server sent along with *cmd*. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request -## pop3_terminate pop3_unexpected -## -## .. todo:: This event is receiving odd parameters, should unify. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); - -## Generated for server-side multi-line responses on POP3 connections. POP3 -## connections use multi-line responses to send bulk data, such as the actual -## mails. This event is generated once for each line that's part of such a -## response. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the data was sent by the originator of the TCP connection. -## -## data: The data sent. -## -## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request -## pop3_terminate pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_data%(c: connection, is_orig: bool, data: string%); - -## Generated for errors encountered on POP3 sessions. If the POP3 analyzer -## finds state transitions that do not conform to the protocol specification, -## or other situations it can't handle, it raises this event. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the data was sent by the originator of the TCP connection. -## -## msg: A textual description of the situation. -## -## detail: The input that triggered the event. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request -## pop3_terminate -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_unexpected%(c: connection, is_orig: bool, - msg: string, detail: string%); - -## Generated when a POP3 connection goes encrypted. While POP3 is by default a -## clear-text protocol, extensions exist to switch to encryption. This event is -## generated if that happens and the analyzer then stops processing the -## connection. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## msg: A descriptive message why processing was stopped. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request -## pop3_unexpected -## -## .. note:: Currently, only the ``STARTLS`` command is recognized and -## triggers this. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_terminate%(c: connection, is_orig: bool, msg: string%); - -## Generated for successful authentications on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## user: The user name used for authentication. The event is only generated if -## a non-empty user name was used. -## -## password: The password used for authentication. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request pop3_terminate -## pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_login_success%(c: connection, is_orig: bool, - user: string, password: string%); - -## Generated for unsuccessful authentications on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## user: The user name attempted for authentication. The event is only -## generated if a non-empty user name was used. -## -## password: The password attempted for authentication. -## -## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request pop3_terminate -## pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_login_failure%(c: connection, is_orig: bool, - user: string, password: string%); - - -## Generated for all client-side IRC commands. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: Always true. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## command: The command. -## -## arguments: The arguments for the command. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -## -## .. note:: This event is generated only for messages that originate -## at the client-side. Commands coming in from remote trigger -## the :bro:id:`irc_message` event instead. -event irc_request%(c: connection, is_orig: bool, prefix: string, - command: string, arguments: string%); - -## Generated for all IRC replies. IRC replies are sent in response to a -## request and come with a reply code. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the reply. IRC uses the prefix to -## indicate the true origin of a message. -## -## code: The reply code, as specified by the protocol. -## -## params: The reply's parameters. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_reply%(c: connection, is_orig: bool, prefix: string, - code: count, params: string%); - -## Generated for IRC commands forwarded from the server to the client. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## command: The command. -## -## message: TODO. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -## -## .. note:: -## -## This event is generated only for messages that are forwarded by the server -## to the client. Commands coming from client trigger the -## :bro:id:`irc_request` event instead. -event irc_message%(c: connection, is_orig: bool, prefix: string, - command: string, message: string%); - -## Generated for IRC messages of type *quit*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname coming with the message. -## -## message: The text included with the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%); - -## Generated for IRC messages of type *privmsg*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## source: The source of the private communication. -## -## target: The target of the private communication. -## -## message: The text of communication. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_privmsg_message%(c: connection, is_orig: bool, source: string, - target: string, message: string%); - -## Generated for IRC messages of type *notice*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## source: The source of the private communication. -## -## target: The target of the private communication. -## -## message: The text of communication. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_notice_message%(c: connection, is_orig: bool, source: string, - target: string, message: string%); - -## Generated for IRC messages of type *squery*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## source: The source of the private communication. -## -## target: The target of the private communication. -## -## message: The text of communication. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_squery_message%(c: connection, is_orig: bool, source: string, - target: string, message: string%); - -## Generated for IRC messages of type *join*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## info_list: The user information coming with the command. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%); - -## Generated for IRC messages of type *part*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname coming with the message. -## -## chans: The set of channels affected. -## -## message: The text coming with the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_password_message -event irc_part_message%(c: connection, is_orig: bool, nick: string, - chans: string_set, message: string%); - -## Generated for IRC messages of type *nick*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## who: The user changing its nickname. -## -## newnick: The new nickname. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%); - -## Generated when a server rejects an IRC nickname. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_invalid_nick%(c: connection, is_orig: bool%); - -## Generated for an IRC reply of type *luserclient*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## users: The number of users as returned in the reply. -## -## services: The number of services as returned in the reply. -## -## servers: The number of servers as returned in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_network_info%(c: connection, is_orig: bool, users: count, - services: count, servers: count%); - -## Generated for an IRC reply of type *luserme*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## users: The number of users as returned in the reply. -## -## services: The number of services as returned in the reply. -## -## servers: The number of servers as returned in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_server_info%(c: connection, is_orig: bool, users: count, - services: count, servers: count%); - -## Generated for an IRC reply of type *luserchannels*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## chans: The number of channels as returned in the reply. -## -## .. bro:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_channel_info%(c: connection, is_orig: bool, chans: count%); - -## Generated for an IRC reply of type *whoreply*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## target_nick: The target nickname. -## -## channel: The channel. -## -## user: The user. -## -## host: The host. -## -## server: The server. -## -## nick: The nickname. -## -## params: The parameters. -## -## hops: The hop count. -## -## real_name: The real name. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_who_line%(c: connection, is_orig: bool, target_nick: string, - channel: string, user: string, host: string, - server: string, nick: string, params: string, - hops: count, real_name: string%); - - -## Generated for an IRC reply of type *namereply*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## c_type: The channel type. -## -## channel: The channel. -## -## users: The set of users. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_names_info%(c: connection, is_orig: bool, c_type: string, - channel: string, users: string_set%); - -## Generated for an IRC reply of type *whoisoperator*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname specified in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); - -## Generated for an IRC reply of type *whoischannels*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname specified in the reply. -## -## chans: The set of channels returned. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, - chans: string_set%); - -## Generated for an IRC reply of type *whoisuser*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname specified in the reply. -## -## user: The user name specified in the reply. -## -## host: The host name specified in the reply. -## -## real_name: The real name specified in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, - user: string, host: string, real_name: string%); - -## Generated for IRC replies of type *youreoper* and *nooperhost*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## got_oper: True if the *oper* command was executed successfully -## (*youreport*) and false otherwise (*nooperhost*). -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_part_message -## irc_password_message -event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); - -## Generated for an IRC reply of type *globalusers*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## msg: The message coming with the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%); - -## Generated for an IRC reply of type *topic*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## channel: The channel name specified in the reply. -## -## topic: The topic specified in the reply. -## -## .. bro:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%); - -## Generated for IRC messages of type *who*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## mask: The mask specified in the message. -## -## oper: True if the operator flag was set. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); - -## Generated for IRC messages of type *whois*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## server: TODO. -## -## users: TODO. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%); - -## Generated for IRC messages of type *oper*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## user: The user specified in the message. -## -## password: The password specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_response irc_part_message -## irc_password_message -event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%); - -## Generated for IRC messages of type *kick*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## chans: The channels specified in the message. -## -## users: The users specified in the message. -## -## comment: The comment specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_kick_message%(c: connection, is_orig: bool, prefix: string, - chans: string, users: string, comment: string%); - -## Generated for IRC messages of type *error*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## message: The textual description specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%); - -## Generated for IRC messages of type *invite*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## nickname: The nickname specified in the message. -## -## channel: The channel specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_invite_message%(c: connection, is_orig: bool, prefix: string, - nickname: string, channel: string%); - -## Generated for IRC messages of type *mode*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## params: The parameters coming with the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%); - -## Generated for IRC messages of type *squit*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## server: The server specified in the message. -## -## message: The textual description specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_squit_message%(c: connection, is_orig: bool, prefix: string, - server: string, message: string%); - -## Generated for IRC messages of type *dcc*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## target: The target specified in the message. -## -## dcc_type: The DCC type specified in the message. -## -## argument: The argument specified in the message. -## -## address: The address specified in the message. -## -## dest_port: The destination port specified in the message. -## -## size: The size specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_dcc_message%(c: connection, is_orig: bool, - prefix: string, target: string, - dcc_type: string, argument: string, - address: addr, dest_port: count, size: count%); - -## Generated for IRC messages of type *user*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## user: The user specified in the message. -## -## host: The host name specified in the message. -## -## server: The server name specified in the message. -## -## real_name: The real name specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%); - -## Generated for IRC messages of type *password*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## password: The password specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message -event irc_password_message%(c: connection, is_orig: bool, password: string%); - -## TODO. -## -event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); - ## Generated when a signature matches. Bro's signature engine provides ## high-performance pattern matching separately from the normal script ## processing. If a signature with an ``event`` action matches, this event is @@ -5847,35 +530,6 @@ event file_transferred%(c: connection, prefix: string, descr: string, mime_type: ## triggering the match will be passed on to the event. event signature_match%(state: signature_state, msg: string, data: string%); -## Generated when a SOCKS request is analyzed. -## -## c: The parent connection of the proxy. -## -## version: The version of SOCKS this message used. -## -## request_type: The type of the request. -## -## sa: Address that the tunneled traffic should be sent to. -## -## p: The destination port for the proxied traffic. -## -## user: Username given for the SOCKS connection. This is not yet implemented -## for SOCKSv5. -event socks_request%(c: connection, version: count, request_type: count, sa: SOCKS::Address, p: port, user: string%); - -## Generated when a SOCKS reply is analyzed. -## -## c: The parent connection of the proxy. -## -## version: The version of SOCKS this message used. -## -## reply: The status reply from the server. -## -## sa: The address that the server sent the traffic to. -## -## p: The destination port for the proxied traffic. -event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port%); - ## Generated when a protocol analyzer finds an identification of a software ## used on a system. This is a protocol-independent event that is fed by ## different analyzers. For example, the HTTP analyzer reports user-agent and @@ -5893,7 +547,7 @@ event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Addre ## ## .. bro:see:: software_parse_error software_unparsed_version_found OS_version_found event software_version_found%(c: connection, host: addr, - s: software, descr: string%); + s: software, descr: string%); ## Generated when a protocol analyzer finds an identification of a software ## used on a system but cannot parse it. This is a protocol-independent event @@ -6004,8 +658,6 @@ event remote_event_registered%(p: event_peer, name: string%); ## remote_state_inconsistency print_hook event remote_connection_error%(p: event_peer, reason: string%); - - ## Generated when a remote peer sent us a capture filter. While this event is ## intended primarily for use by Bro's communication framework, it can also ## trigger additional code if helpful. @@ -6124,7 +776,7 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## remote_event_registered remote_log remote_state_access_performed ## remote_state_inconsistency print_hook event remote_pong%(p: event_peer, seq: count, - d1: interval, d2: interval, d3: interval%); + d1: interval, d2: interval, d3: interval%); ## Generated each time a remote state access has been replayed locally. This ## event is primarily intended for debugging. @@ -6151,326 +803,6 @@ event remote_state_access_performed%(id: string, v: any%); ## .. bro:see:: profiling_interval expensive_profiling_multiple event profiling_update%(f: file, expensive: bool%); -## Generated each time Bro's script interpreter opens a file. This event is -## triggered only for files opened via :bro:id:`open`, and in particular not for -## normal log files as created by log writers. -## -## f: The opened file. -event file_opened%(f: file%); - -## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises -## this event whenever it either receives a NetFlow header on the port it's -## listening on, or reads one from a trace file. -## -## h: The parsed NetFlow header. -## -## .. bro:see:: netflow_v5_record -event netflow_v5_header%(h: nf_v5_header%); - -## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises -## this event whenever it either receives a NetFlow record on the port it's -## listening on, or reads one from a trace file. -## -## r: The parsed NetFlow record. -## -## .. bro:see:: netflow_v5_record -event netflow_v5_record%(r: nf_v5_record%); - -## Generated for any modbus message regardless if the particular function -## is further supported or not. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## is_orig: True if the event is raised for the originator side. -event modbus_message%(c: connection, headers: ModbusHeaders, is_orig: bool%); - -## Generated for any modbus exception message. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## code: The exception code. -event modbus_exception%(c: connection, headers: ModbusHeaders, code: count%); - -## Generated for a Modbus read coils request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address where of the first coil to be read. -## -## quantity: The number of coils to be read. -event modbus_read_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read coils response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## coils: The coil values returned from the device. -event modbus_read_coils_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); - -## Generated for a Modbus read discrete inputs request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first coil to be read. -## -## quantity: The number of coils to be read. -event modbus_read_discrete_inputs_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read discrete inputs response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## coils: The coil values returned from the device. -event modbus_read_discrete_inputs_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); - -## Generated for a Modbus read holding registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register to be read. -## -## quantity: The number of registers to be read. -event modbus_read_holding_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read holding registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## registers: The register values returned from the device. -event modbus_read_holding_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); - -## Generated for a Modbus read input registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register to be read. -## -## quantity: The number of registers to be read. -event modbus_read_input_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read input registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## registers: The register values returned from the device. -event modbus_read_input_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); - -## Generated for a Modbus write single coil request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the coil to be written. -## -## value: The value to be written to the coil. -event modbus_write_single_coil_request%(c: connection, headers: ModbusHeaders, address: count, value: bool%); - -## Generated for a Modbus write single coil response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the coil that was written. -## -## value: The value that was written to the coil. -event modbus_write_single_coil_response%(c: connection, headers: ModbusHeaders, address: count, value: bool%); - -## Generated for a Modbus write single register request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register to be written. -## -## value: The value to be written to the register. -event modbus_write_single_register_request%(c: connection, headers: ModbusHeaders, address: count, value: count%); - -## Generated for a Modbus write single register response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register that was written. -## -## value: The value that was written to the register. -event modbus_write_single_register_response%(c: connection, headers: ModbusHeaders, address: count, value: count%); - -## Generated for a Modbus write multiple coils request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first coil to be written. -## -## value: The values to be written to the coils. -event modbus_write_multiple_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils%); - -## Generated for a Modbus write multiple coils response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first coil that was written. -## -## quantity: The quantity of coils that were written. -event modbus_write_multiple_coils_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus write multiple registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register to be written. -## -## registers: The values to be written to the registers. -event modbus_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, registers: ModbusRegisters%); - -## Generated for a Modbus write multiple registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register that was written. -## -## quantity: The quantity of registers that were written. -event modbus_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read file record request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_read_file_record_request%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus read file record response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_read_file_record_response%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus write file record request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_write_file_record_request%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus write file record response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_write_file_record_response%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus mask write register request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register where the masks should be applied. -## -## and_mask: The value of the logical AND mask to apply to the register. -## -## or_mask: The value of the logical OR mask to apply to the register. -event modbus_mask_write_register_request%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); - -## Generated for a Modbus mask write register request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register where the masks were applied. -## -## and_mask: The value of the logical AND mask applied register. -## -## or_mask: The value of the logical OR mask applied to the register. -event modbus_mask_write_register_response%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); - -## Generated for a Modbus read/write multiple registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## read_start_address: The memory address of the first register to be read. -## -## read_quantity: The number of registers to read. -## -## write_start_address: The memory address of the first register to be written. -## -## write_registers: The values to be written to the registers. -event modbus_read_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, read_start_address: count, read_quantity: count, write_start_address: count, write_registers: ModbusRegisters%); - -## Generated for a Modbus read/write multiple registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## written_registers: The register values read from the registers specified in the request. -event modbus_read_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, written_registers: ModbusRegisters%); - -## Generated for a Modbus read FIFO queue request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The address of the FIFO queue to read. -event modbus_read_fifo_queue_request%(c: connection, headers: ModbusHeaders, start_address: count%); - -## Generated for a Modbus read FIFO queue response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## fifos: The register values read from the FIFO queue on the device. -event modbus_read_fifo_queue_response%(c: connection, headers: ModbusHeaders, fifos: ModbusRegisters%); - ## Raised for informational messages reported via Bro's reporter framework. Such ## messages may be generated internally by the event engine and also by other ## scripts calling :bro:id:`Reporter::info`. @@ -6536,82 +868,88 @@ event reporter_error%(t: time, msg: string, location: string%) &error_handler; ## recursively for each ``@load``. event bro_script_loaded%(path: string, level: count%); -## Deprecated. Will be removed. -event stp_create_endp%(c: connection, e: int, is_orig: bool%); +## Generated each time Bro's script interpreter opens a file. This event is +## triggered only for files opened via :bro:id:`open`, and in particular not for +## normal log files as created by log writers. +## +## f: The opened file. +event file_opened%(f: file%); -# ##### Internal events. Not further documented. +## Generated when an internal DNS lookup produces the same result as last time. +## Bro keeps an internal DNS cache for host names and IP addresses it has +## already resolved. This event is generated when a subsequent lookup returns +## the same result as stored in the cache. +## +## dm: A record describing the new resolver result (which matches the old one). +## +## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified +event dns_mapping_valid%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_resume_endp%(e: int%); +## Generated when an internal DNS lookup got no answer even though it had +## succeeded in the past. Bro keeps an internal DNS cache for host names and IP +## addresses it has already resolved. This event is generated when a +## subsequent lookup does not produce an answer even though we have +## already stored a result in the cache. +## +## dm: A record describing the old resolver result. +## +## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_valid +event dns_mapping_unverified%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_correlate_pair%(e1: int, e2: int%); +## Generated when an internal DNS lookup succeeded but an earlier attempt +## did not. Bro keeps an internal DNS cache for host names and IP +## addresses it has already resolved. This event is generated when a subsequent +## lookup produces an answer for a query that was marked as failed in the cache. +## +## dm: A record describing the new resolver result. +## +## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified +## dns_mapping_valid +event dns_mapping_new_name%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_remove_pair%(e1: int, e2: int%); +## Generated when an internal DNS lookup returned zero answers even though it +## had succeeded in the past. Bro keeps an internal DNS cache for host names +## and IP addresses it has already resolved. This event is generated when +## on a subsequent lookup we receive an answer that is empty even +## though we have already stored a result in the cache. +## +## dm: A record describing the old resolver result. +## +## .. bro:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid +event dns_mapping_lost_name%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_remove_endp%(e: int%); - -# ##### Deprecated events. Proposed for removal. - -## Deprecated. Will be removed. -event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%); - -## Deprecated. Will be removed. -event interconn_remove_conn%(c: connection%); - -## Deprecated. Will be removed. -event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%); - -## Deprecated. Will be removed. -event backdoor_remove_conn%(c: connection%); - -## Deprecated. Will be removed. -event ssh_signature_found%(c: connection, is_orig: bool%); - -## Deprecated. Will be removed. -event telnet_signature_found%(c: connection, is_orig: bool, len: count%); - -## Deprecated. Will be removed. -event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%); +## Generated when an internal DNS lookup produced a different result than in +## the past. Bro keeps an internal DNS cache for host names and IP addresses +## it has already resolved. This event is generated when a subsequent lookup +## returns a different answer than we have stored in the cache. +## +## dm: A record describing the new resolver result. +## +## old_addrs: Addresses that used to be part of the returned set for the query +## described by *dm*, but are not anymore. +## +## new_addrs: Addresses that were not part of the returned set for the query +## described by *dm*, but now are. +## +## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid +event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); ## Deprecated. Will be removed. event root_backdoor_signature_found%(c: connection%); -## Deprecated. Will be removed. -event ftp_signature_found%(c: connection%); - ## Deprecated. Will be removed. event napster_signature_found%(c: connection%); -## Deprecated. Will be removed. -event gnutella_signature_found%(c: connection%); - ## Deprecated. Will be removed. event kazaa_signature_found%(c: connection%); -## Deprecated. Will be removed. -event http_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event http_proxy_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event smtp_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event irc_signature_found%(c: connection%); - ## Deprecated. Will be removed. event gaobot_signature_found%(c: connection%); -## Deprecated. Will be removed. -## -## .. todo:: Unclear what this event is for; it's never raised. We should just -## remove it. -event dns_full_request%(%); - ## Deprecated. Will be removed. event anonymization_mapping%(orig: addr, mapped: addr%); diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 39bb190f8c..6912023cc4 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -33,13 +33,13 @@ std::list > __bif_##file##_init(); \ AddBifInitFunction(&__bif_##file##_init); -#define BRO_PLUGIN_ANALYZER(tag, factory) \ - AddComponent(new ::analyzer::Component(tag, factory)); +#define BRO_PLUGIN_ANALYZER(tag, cls) \ + AddComponent(new ::analyzer::Component(tag, ::analyzer::cls::InstantiateAnalyzer)); + +#define BRO_PLUGIN_ANALYZER_BARE(tag) \ + AddComponent(new ::analyzer::Component(tag, 0)); #define BRO_PLUGIN_SUPPORT_ANALYZER(tag) \ AddComponent(new ::analyzer::Component(tag, 0)); -#define BRO_PLUGIN_ANALYZER_EXT(tag, factory, enabled, partial) \ - AddComponent(new ::analyzer::Component(tag, factory, 0, enabled, partial)); - #endif