Merge remote-tracking branch 'origin/topic/vladg/bit-1671'

Nice, thanks!

BIT-1671 #merged

* origin/topic/vladg/bit-1671:
  Add descriptions for what the SMB1 events do, and references to the specification.
  Add descriptions for what the SMB2 events do, and references to the specification.
  Improve the SMB2 documentation.
  Improve the SMB1 documentation a bit. Clean it up, make it more consistent, and add references to similar events.
  Add DCE-RPC and NTLM abbreviation documentation for their events.
  Remove reference to epm_map_response in RPC documentation. Addresses BIT-1671.
  Rename events referenced in SMB1::Header documentation with new SMB analyzer. Addresses BIT-1671.

scripts/base/init-bare.bro

@@ -2519,10 +2519,18 @@ module SMB;
 
 export {
 	## MAC times for a file.
+	##
+	## For more information, see MS-SMB2:2.2.16
+	##
+	## .. bro:see:: smb1_nt_create_andx_response smb2_create_response
 	type SMB::MACTimes: record {
+		## The time when data was last written to the file.
 		modified : time &log;
+		## The time when the file was last accessed.
 		accessed : time &log;
+		## The time the file was created.
 		created  : time &log;
+		## The time when the file was last modified.
 		changed  : time &log;
 	} &log;
 }
@@ -2532,21 +2540,32 @@ module SMB1;
 export {
 	## An SMB1 header.
 	##
-	## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
+	## .. bro:see:: smb1_message smb1_empty_response smb1_error
-	##    smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
+	##    smb1_check_directory_request smb1_check_directory_response
-	##    smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
+	##    smb1_close_request smb1_create_directory_request
-	##    smb_com_trans_pipe smb_com_trans_rap smb_com_transaction
+	##    smb1_create_directory_response smb1_echo_request
-	##    smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect
+	##    smb1_echo_response smb1_negotiate_request
-	##    smb_com_write_andx smb_error smb_get_dfs_referral smb_message
+	##    smb1_negotiate_response smb1_nt_cancel_request
+	##    smb1_nt_create_andx_request smb1_nt_create_andx_response
+	##    smb1_open_andx_request smb1_open_andx_response
+	##    smb1_query_information_request smb1_read_andx_request
+	##    smb1_read_andx_response smb1_session_setup_andx_request
+	##    smb1_session_setup_andx_response smb1_transaction_request
+	##    smb1_transaction2_request smb1_trans2_find_first2_request
+	##    smb1_trans2_query_path_info_request
+	##    smb1_trans2_get_dfs_referral_request
+	##    smb1_tree_connect_andx_request smb1_tree_connect_andx_response
+	##    smb1_tree_disconnect smb1_write_andx_request
+	##    smb1_write_andx_response
 	type SMB1::Header : record {
-		command: count; ##< The command number
+		command : count; ##< The command number
-		status: count;  ##< The status code.
+		status  : count; ##< The status code
-		flags: count;   ##< Flag set 1.
+		flags   : count; ##< Flag set 1
-		flags2: count;  ##< Flag set 2.
+		flags2  : count; ##< Flag set 2
-		tid: count;     ##< Tree ID.
+		tid     : count; ##< Tree ID
-		pid: count;     ##< Process ID.
+		pid     : count; ##< Process ID
-		uid: count;     ##< User ID.
+		uid     : count; ##< User ID
-		mid: count;     ##< Multiplex ID.
+		mid     : count; ##< Multiplex ID
 	};
 
 	type SMB1::NegotiateRawMode: record {
@@ -2808,76 +2827,190 @@ export {
 module SMB2;
 
 export {
+	## An SMB2 header.
+	##
+	## For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2
+	##
+	## .. bro:see:: smb2_message smb2_close_request smb2_close_response
+	##    smb2_create_request smb2_create_response smb2_negotiate_request
+	##    smb2_negotiate_response smb2_read_request
+	##    smb2_session_setup_request smb2_session_setup_response
+	##    smb2_set_info_request smb2_file_rename smb2_file_delete
+	##    smb2_tree_connect_request smb2_tree_connect_response
+	##    smb2_write_request
 	type SMB2::Header: record {
-		credit_charge: count;
+		## The number of credits that this request consumes
-		status: count;
+		credit_charge : count;
-		command: count;
+		## In a request, this is an indication to the server about the client's channel
-		credits: count;
+		## change. In a response, this is the status field
-		flags: count;
+		status        : count;
-		message_id: count;
+		## The command code of the packet
-		process_id: count;
+		command       : count;
-		tree_id: count;
+		## The number of credits the client is requesting, or the number of credits
-		session_id: count;
+		## granted to the client in a response.
-		signature: string;
+		credits       : count;
+		## A flags field, which indicates how to process the operation (e.g. asynchronously)
+		flags         : count;
+		## A value that uniquely identifies the message request/response pair across all
+		## messages that are sent on the same transport protocol connection
+		message_id    : count;
+		## A value that uniquely identifies the process that generated the event.
+		process_id    : count;
+		## A value that uniquely identifies the tree connect for the command.
+		tree_id       : count;
+		## A value that uniquely identifies the established session for the command.
+		session_id    : count;
+		## The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in the ``flags``
+		## field.
+		signature     : string;
 	};
 
+	## An SMB2 globally unique identifier which identifies a file.
+	##
+	## For more information, see MS-SMB2:2.2.14.1
+	##
+	## .. bro:see:: smb2_close_request smb2_create_response smb2_read_request
+	##    smb2_file_rename smb2_file_delete smb2_write_request
 	type SMB2::GUID: record {
+		## A file handle that remains persistent when reconnected after a disconnect
 		persistent: count;
+		## A file handle that can be changed when reconnected after a disconnect
 		volatile: count;
 	};
 
+	## A series of boolean flags describing basic and extended file attributes for SMB2.
+	##
+	## For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6
+	##
+	## .. bro:see:: smb2_create_response
 	type SMB2::FileAttrs: record {
+		## The file is read only. Applications can read the file but cannot
+		## write to it or delete it.
 		read_only: bool;
+		## The file is hidden. It is not to be included in an ordinary directory listing.
 		hidden: bool;
+		## The file is part of or is used exclusively by the operating system.
 		system: bool;
+		## The file is a directory.
 		directory: bool;
+		## The file has not been archived since it was last modified. Applications use
+		## this attribute to mark files for backup or removal.
 		archive: bool;
+		## The file has no other attributes set. This attribute is valid only if used alone.
 		normal: bool;
+		## The file is temporary. This is a hint to the cache manager that it does not need
+		## to flush the file to backing storage.
 		temporary: bool;
+		## A file that is a sparse file.
 		sparse_file: bool;
+		## A file or directory that has an associated reparse point.
 		reparse_point: bool;
+		## The file or directory is compressed. For a file, this means that all of the data
+		## in the file is compressed. For a directory, this means that compression is the
+		## default for newly created files and subdirectories.
 		compressed: bool;
+		## The data in this file is not available immediately. This attribute indicates that
+		## the file data is physically moved to offline storage. This attribute is used by
+		## Remote Storage, which is hierarchical storage management software.
 		offline: bool;
+		## A file or directory that is not indexed by the content indexing service.
 		not_content_indexed: bool;
+		## A file or directory that is encrypted. For a file, all data streams in the file
+		## are encrypted. For a directory, encryption is the default for newly created files
+		## and subdirectories.
 		encrypted: bool;
+		## A file or directory that is configured with integrity support. For a file, all
+		## data streams in the file have integrity support. For a directory, integrity support
+		## is the default for newly created files and subdirectories, unless the caller
+		## specifies otherwise.
 		integrity_stream: bool;
+		## A file or directory that is configured to be excluded from the data integrity scan.
 		no_scrub_data: bool;
 	};
 
+	## The response to an SMB2 *close* request, which is used by the client to close an instance
+	## of a file that was opened previously.
+	##
+	## For more information, see MS-SMB2:2.2.16
+	##
+	## .. bro:see:: smb2_close_response
 	type SMB2::CloseResponse: record {
+		## The size, in bytes of the data that is allocated to the file.
 		alloc_size : count;
+		## The size, in bytes, of the file.
 		eof        : count;
+		## The creation, last access, last write, and change times.
 		times      : SMB::MACTimes;
+		## The attributes of the file.
 		attrs      : SMB2::FileAttrs;
 	};
 
+	## The response to an SMB2 *negotiate* request, which is used by tghe client to notify the server
+	## what dialects of the SMB2 protocol the client understands.
+	##
+	## For more information, see MS-SMB2:2.2.4
+	##
+	## .. bro:see:: smb2_negotiate_response
 	type SMB2::NegotiateResponse: record {
+		## The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2
+		## NEGOTIATE Request.
 		dialect_revision  : count;
+		## The security mode field specifies whether SMB signing is enabled, required at the server, or both.
 		security_mode     : count;
+		## A globally unique identifier that is generate by the server to uniquely identify the server.
 		server_guid       : string;
+		## The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed.
 		system_time       : time;
+		## The SMB2 server start time.
 		server_start_time : time;
 	};
 
+	## The request sent by the client to request a new authenticated session
+	## within a new or existing SMB 2 Protocol transport connection to the server.
+	##
+	## For more information, see MS-SMB2:2.2.5
+	##
+	## .. bro:see:: smb2_session_setup_request
 	type SMB2::SessionSetupRequest: record {
+		## The security mode field specifies whether SMB signing is enabled or required at the client.
 		security_mode: count;
 	};
 
+	## A flags field that indicates additional information about the session that's sent in the
+	## *session_setup* response.
+	##
+	## For more information, see MS-SMB2:2.2.6
+	##
+	## .. bro:see:: smb2_session_setup_response
 	type SMB2::SessionSetupFlags: record {
+		## If set, the client has been authenticated as a guest user.
 		guest: bool;
+		## If set, the client has been authenticated as an anonymous user.
 		anonymous: bool;
+		## If set, the server requires encryption of messages on this session.
 		encrypt: bool;
 	};
 
+	## The response to an SMB2 *session_setup* request, which is sent by the client to request a
+	## new authenticated session within a new or existing SMB 2 Protocol transport connection
+	## to the server.
+	##
+	## For more information, see MS-SMB2:2.2.6
+	##
+	## .. bro:see:: smb2_session_setup_response
 	type SMB2::SessionSetupResponse: record {
+		## Additional information about the session
 		flags: SMB2::SessionSetupFlags;
 	};
 
-	type SMB2::SetInfoRequest: record {
+	## The response to an SMB2 *tree_connect* request, which is sent by the client to request
-		eof: count;
+	## access to a particular share on the server.
-	};
+	##
-
+	## For more information, see MS-SMB2:2.2.9
+	##
+	## .. bro:see:: smb2_tree_connect_response
 	type SMB2::TreeConnectResponse: record {
+		## The type of share being accessed. Physical disk, named pipe, or printer.
 		share_type: count;
 	};
 }

src/analyzer/protocol/dce-rpc/events.bif

@@ -1,11 +1,12 @@
-## Generated for every DCE-RPC message.
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
 ##
 ## c: The connection.
 ##
 ## is_orig: True if the message was sent by the originator of the TCP connection.
 ##
-## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
-##      DCE-RPC was not transported over a pipe.
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
 ##
 ## ptype_id: Numeric representation of the procedure type of the message.
 ##
@@ -14,14 +15,15 @@
 ## .. bro:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
 event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType%);
 
-## Generated for every DCE-RPC bind request message. Since RPC offers the ability 
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
-## for a client to request connections to multiple endpoints, this event can occur 
+## Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur 
 ## multiple times for a single RPC message.
 ##
 ## c: The connection.
 ##
-## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
-##      DCE-RPC was not transported over a pipe.
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
 ##
 ## uuid: The string interpretted uuid of the endpoint being requested.
 ##
@@ -32,24 +34,26 @@ event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count
 ## .. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
 event dce_rpc_bind%(c: connection, fid: count, uuid: string, ver_major: count, ver_minor: count%);
 
-## Generated for every DCE-RPC bind request ack message.
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
 ##
 ## c: The connection.
 ##
-## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
-##      DCE-RPC was not transported over a pipe.
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
 ##
 ## sec_addr: Secondary address for the ack.
 ##
 ## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
 event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%);
 
-## Generated for every DCE-RPC request message.
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
 ##
 ## c: The connection.
 ##
-## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
-##      DCE-RPC was not transported over a pipe.
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
 ##
 ## opnum: Number of the RPC operation.
 ##
@@ -58,12 +62,13 @@ event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%);
 ## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response
 event dce_rpc_request%(c: connection, fid: count, opnum: count, stub_len: count%);
 
-## Generated for every DCE-RPC response message.
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
 ##
 ## c: The connection.
 ##
-## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
-##      DCE-RPC was not transported over a pipe.
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
 ##
 ## opnum: Number of the RPC operation.
 ##
@@ -71,4 +76,3 @@ event dce_rpc_request%(c: connection, fid: count, opnum: count, stub_len: count%
 ##
 ## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request
 event dce_rpc_response%(c: connection, fid: count, opnum: count, stub_len: count%);
-

src/analyzer/protocol/ntlm/events.bif

@@ -1,23 +1,26 @@
-## Generated for NTLM messages of type *negotiate*.
+## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
 ##
 ## c: The connection.
 ##
-## negotiate: The parsed data of the NTLM message. See init-bare for more details.
+## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
 ##
+## .. bro:see:: ntlm_challenge ntlm_authenticate
 event ntlm_negotiate%(c: connection, negotiate: NTLM::Negotiate%);
 
-## Generated for NTLM messages of type *challenge*.
+## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
 ##
 ## c: The connection.
 ##
-## negotiate: The parsed data of the NTLM message. See init-bare for more details.
+## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
 ##
+## .. bro:see:: ntlm_negotiate ntlm_authenticate
 event ntlm_challenge%(c: connection, challenge: NTLM::Challenge%);
 
-## Generated for NTLM messages of type *authenticate*.
+## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
 ##
 ## c: The connection.
 ##
-## request: The parsed data of the NTLM message. See init-bare for more details.
+## request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
 ##
+## .. bro:see:: ntlm_negotiate ntlm_challenge
 event ntlm_authenticate%(c: connection, request: NTLM::Authenticate%);

src/analyzer/protocol/rpc/events.bif

@@ -351,10 +351,10 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%);
 ##
 ## r: The RPC connection.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+## .. bro:see:: pm_request_set pm_request_unset pm_request_getport
-##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
+##    pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
-##    pm_request_dump pm_request_getport  pm_request_set pm_request_unset rpc_call
+##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
-##    rpc_dialogue rpc_reply
+##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -376,10 +376,10 @@ event pm_request_null%(r: connection%);
 ##          reply. If no reply was seen, this will be false once the request
 ##          times out.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+## .. bro:see:: pm_request_null pm_request_unset pm_request_getport
-##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
+##    pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
-##    pm_request_dump pm_request_getport pm_request_null pm_request_unset rpc_call
+##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
-##    rpc_dialogue rpc_reply
+##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -401,10 +401,10 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
 ##          reply. If no reply was seen, this will be false once the request
 ##          times out.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+## .. bro:see:: pm_request_null pm_request_set pm_request_getport
-##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
+##    pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
-##    pm_request_dump pm_request_getport pm_request_null pm_request_set rpc_call
+##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
-##    rpc_dialogue rpc_reply
+##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -424,10 +424,10 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
 ##
 ## p: The port returned by the server.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+## .. bro:see:: pm_request_null pm_request_set pm_request_unset
-##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
+##    pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
-##    pm_request_dump  pm_request_null pm_request_set pm_request_unset rpc_call
+##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
-##    rpc_dialogue rpc_reply
+##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -445,9 +445,10 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
 ##
 ## m: The mappings returned by the server.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+## .. bro:see:: pm_request_null pm_request_set pm_request_unset
-##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit
+##    pm_request_getport pm_request_callit pm_attempt_null
-##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    pm_attempt_set pm_attempt_unset pm_attempt_getport
+##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -468,9 +469,10 @@ event pm_request_dump%(r: connection, m: pm_mappings%);
 ##
 ## p: The port value returned by the call.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+## .. bro:see:: pm_request_null pm_request_set pm_request_unset
-##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_dump
+##    pm_request_getport pm_request_dump pm_attempt_null
-##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    pm_attempt_set pm_attempt_unset pm_attempt_getport
+##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -490,9 +492,10 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
 ## status: The status of the reply, which should be one of the index values of
 ##         :bro:id:`RPC_status`.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+## .. bro:see:: pm_request_null pm_request_set pm_request_unset
-##    pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_dump pm_request_callit
-##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    pm_attempt_set pm_attempt_unset pm_attempt_getport
+##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -514,9 +517,10 @@ event pm_attempt_null%(r: connection, status: rpc_status%);
 ##
 ## m: The argument to the original request.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+## .. bro:see:: pm_request_null pm_request_set pm_request_unset
-##    pm_attempt_null  pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_dump pm_request_callit
-##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    pm_attempt_null pm_attempt_unset pm_attempt_getport
+##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -538,9 +542,10 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
 ##
 ## m: The argument to the original request.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+## .. bro:see:: pm_request_null pm_request_set pm_request_unset
-##    pm_attempt_null pm_attempt_set  pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_dump pm_request_callit
-##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    pm_attempt_null pm_attempt_set pm_attempt_getport
+##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -562,10 +567,10 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
 ##
 ## pr: The argument to the original request.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_null
+## .. bro:see:: pm_request_null pm_request_set pm_request_unset
-##    pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_dump pm_request_callit
-##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump
-##    rpc_dialogue rpc_reply
+##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -584,9 +589,10 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request
 ## status: The status of the reply, which should be one of the index values of
 ##         :bro:id:`RPC_status`.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit  pm_attempt_getport pm_attempt_null
+## .. bro:see:: pm_request_null pm_request_set pm_request_unset
-##    pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_dump pm_request_callit
-##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    pm_attempt_null pm_attempt_set pm_attempt_unset
+##    pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -608,9 +614,10 @@ event pm_attempt_dump%(r: connection, status: rpc_status%);
 ##
 ## call: The argument to the original request.
 ##
-## .. bro:see:: epm_map_response  pm_attempt_dump pm_attempt_getport pm_attempt_null
+## .. bro:see:: pm_request_null pm_request_set pm_request_unset
-##    pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump
+##    pm_request_getport pm_request_dump pm_request_callit
-##    pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call
+##    pm_attempt_null pm_attempt_set pm_attempt_unset
+##    pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
@@ -632,10 +639,11 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ
 ##
 ## bad_p: The invalid port value.
 ##
-## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport
+## .. bro:see:: pm_request_null pm_request_set pm_request_unset
-##    pm_attempt_null pm_attempt_set pm_attempt_unset  pm_request_callit
+##    pm_request_getport pm_request_dump pm_request_callit
-##    pm_request_dump pm_request_getport pm_request_null pm_request_set
+##    pm_attempt_null pm_attempt_set pm_attempt_unset
-##    pm_request_unset rpc_call rpc_dialogue rpc_reply
+##    pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call
+##    rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet

src/analyzer/protocol/smb/smb1_com_check_directory.bif

@@ -1,15 +1,27 @@
-## Generated for SMB/CIFS requests of type *check directory*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *check directory*. This is used by the client to verify that
+## a specified path resolves to a valid directory on the server.
+##
+## For more information, see MS-CIFS:2.2.4.17
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## directory_name: The directory name to check for existence.
+##
+## .. bro:see:: smb1_message smb1_check_directory_response
 event smb1_check_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%);
 
-## Generated for SMB/CIFS responses of type *check directory*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 responses of type *check directory*. This is the server response to the
+## *check directory* request.
+##
+## For more information, see MS-CIFS:2.2.4.17
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## .. bro:see:: smb1_message smb1_check_directory_request
 event smb1_check_directory_response%(c: connection, hdr: SMB1::Header%);

src/analyzer/protocol/smb/smb1_com_close.bif

@@ -1,13 +1,15 @@
-## Generated for SMB/CIFS request messages of type *close*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *close*. This is used by the client to close an instance of an object
+## associated with a valid file ID.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.5
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## file_id: The file identifier being closed.
+##
+## .. bro:see:: smb1_message
 event smb1_close_request%(c: connection, hdr: SMB1::Header, file_id: count%);
 

src/analyzer/protocol/smb/smb1_com_create_directory.bif

@@ -1,19 +1,29 @@
-## Generated for SMB/CIFS requests of type *create directory*.  This is also
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
-## a deprecated command which has been replaced by the trans2_create_directory 
+## version 1 requests of type *create directory*. This is a deprecated command which
-## subcommand.
+## has been replaced by the *trans2_create_directory* subcommand. This is used by the client to
+## create a new directory on the server, relative to a connected share.
+##
+## For more information, see MS-CIFS:2.2.4.1
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## directory_name: The name of the directory to create.
+##
+## .. bro:see:: smb1_message smb1_create_directory_response smb1_transaction2_request
 event smb1_create_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%);
 
-## Generated for SMB/CIFS responses of type *create directory*.  This is also
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
-## a deprecated command which has been replaced by the trans2_create_directory 
+## version 1 responses of type *create directory*. This is a deprecated command which
-## subcommand.
+## has been replaced by the *trans2_create_directory* subcommand. This is the server response
+## to the *create directory* request.
+##
+## For more information, see MS-CIFS:2.2.4.1
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## .. bro:see:: smb1_message smb1_create_directory_request smb1_transaction2_request
 event smb1_create_directory_response%(c: connection, hdr: SMB1::Header%);

src/analyzer/protocol/smb/smb1_com_echo.bif

@@ -1,21 +1,32 @@
-## Generated for SMB/CIFS requests of type *echo*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *echo*. This is sent by the client to test the transport layer
+## connection with the server.
+##
+## For more information, see MS-CIFS:2.2.4.39
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## echo_count: The number of times the server should echo the data back.
 ## 
 ## data: The data for the server to echo.
+##
+## .. bro:see:: smb1_message smb1_echo_response
 event smb1_echo_request%(c: connection, echo_count: count, data: string%);
 
-## Generated for SMB/CIFS responses of type *negotiate*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 responses of type *echo*. This is the server response to the *echo* request.
+##
+## For more information, see MS-CIFS:2.2.4.39
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## seq_num: The sequence number of this echo reply.
 ## 
 ## data: The data echoed back from the client.
+##
+## .. bro:see:: smb1_message smb1_echo_request
 event smb1_echo_response%(c: connection, seq_num: count, data: string%);

src/analyzer/protocol/smb/smb1_com_logoff_andx.bif

@@ -1,11 +1,15 @@
-## Generated for SMB/CIFS messages of type *logoff andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *logoff andx*. This is used by the client to logoff the user
+## connection represented by UID in the SMB Header. The server releases all locks and closes
+## all files currently open by this user, disconnects all tree connects, cancels any outstanding
+## requests for this UID, and invalidates the UID.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.54
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## is_orig: Indicates which host sent the logoff message..
+## is_orig: Indicates which host sent the logoff message.
+##
+## .. bro:see:: smb1_message
 event smb1_logoff_andx%(c: connection, is_orig: bool%);
 

src/analyzer/protocol/smb/smb1_com_negotiate.bif

@@ -1,19 +1,32 @@
-## Generated for SMB/CIFS messages of type *negotiate*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *negotiate*. This is sent by the client to initiate an SMB
+## connection between the client and the server. A *negotiate* exchange MUST be completed
+## before any other SMB messages are sent to the server.
+##
+## For more information, see MS-CIFS:2.2.4.52
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## dialects: The SMB dialects supported by the client.
+##
+## .. bro:see:: smb1_message smb1_negotiate_response
 event smb1_negotiate_request%(c: connection, hdr: SMB1::Header, dialects: string_vec%);
 
-## Generated for SMB/CIFS responses of type *negotiate*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 responses of type *negotiate*. This is the server response to the *negotiate*
+## request.
+##
+## For more information, see MS-CIFS:2.2.4.52
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## response: A record structure containing more information from the response.
+##
+## .. bro:see:: smb1_message smb1_negotiate_request
 event smb1_negotiate_response%(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse%);
 
 #### Types

src/analyzer/protocol/smb/smb1_com_nt_cancel.bif

@@ -1,6 +1,12 @@
-## Generated for SMB/CIFS requests of type *nt cancel*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *nt cancel*. This is sent by the client to request that a currently
+## pending request be cancelled.
+##
+## For more information, see MS-CIFS:2.2.4.65
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## .. bro:see:: smb1_message
 event smb1_nt_cancel_request%(c: connection, hdr: SMB1::Header%);

src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif

@@ -1,23 +1,36 @@
-## Generated for SMB/CIFS requests of type *nt create andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *nt create andx*. This is sent by the client to create and open
+## a new file, or to open an existing file, or to open and truncate an existing file to zero
+## length, or to create a directory, or to create a connection to a named pipe.
+##
+## For more information, see MS-CIFS:2.2.4.64
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## name: The ``name`` attribute  specified in the message.
+##
+## .. bro:see:: smb1_message smb1_nt_create_andx_response
 event smb1_nt_create_andx_request%(c: connection, hdr: SMB1::Header, file_name: string%);
 
-## Generated for SMB/CIFS responses of type *nt create andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 responses of type *nt create andx*. This is the server response to the
+## *nt create andx* request.
+##
+## For more information, see MS-CIFS:2.2.4.64
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## file_id: The SMB2 GUID for the file.
 ##
 ## file_size: Size of the file.
 ##
 ## times: Timestamps associated with the file in question.
+##
+## .. bro:see:: smb1_message smb1_nt_create_andx_request
 event smb1_nt_create_andx_response%(c: connection, hdr: SMB1::Header, file_id: count, file_size: count, times: SMB::MACTimes%);
 
 

src/analyzer/protocol/smb/smb1_com_open_andx.bif

@@ -1,12 +1,12 @@
-## Generated for SMB/CIFS request messages of type *open andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *open andx*. This is sent by the client to create and open a new
+## file or open an existing regular file and chain additional messages along with the request.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.41
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## flags: Flags requesting attribute data and locking.
 ##
@@ -21,18 +21,21 @@
 ## open_mode: The way a file s 
 ##
 ## length: The number of bytes being requested.
+##
+## .. bro:see:: smb1_message smb1_open_andx_response
 event smb1_open_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count%);
 
-## Generated for SMB/CIFS response messages of type *open andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 responses of type *open andx*. This is the server response to the *open andx* request.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.41
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## data_len: The length of data from the requested file.
+##
+## .. bro:see:: smb1_message smb1_open_andx_request
 event smb1_open_andx_response%(c: connection, hdr: SMB1::Header, data_len: count%);
 

src/analyzer/protocol/smb/smb1_com_query_information.bif

@@ -1,9 +1,16 @@
-## Generated for SMB/CIFS request messages of type *query information*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *query information*. This is a deprecated command which
+## has been replaced by the *trans2_query_path_information* subcommand. This is used by the
+## client to obtain attribute information about a file.
+##
+## For more information, see MS-CIFS:2.2.4.9
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## filename: The filename that the client is querying.
+##
+## .. bro:see:: smb1_message smb1_transaction2_request
 event smb1_query_information_request%(c: connection, hdr: SMB1::Header, filename: string%);
 

src/analyzer/protocol/smb/smb1_com_read_andx.bif

@@ -1,30 +1,34 @@
-## Generated for SMB/CIFS request messages of type *read andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *read andx*. This is sent by the client to read bytes from a regular
+## file, a named pipe, or a directly accessible device such as a serial port (COM) or printer
+## port (LPT).
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.42
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## file_id: The file identifier being written to.
 ##
 ## offset: The byte offset the requested read begins at.
 ##
 ## length: The number of bytes being requested.
+##
+## .. bro:see:: smb1_message smb1_read_andx_response
 event smb1_read_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count%);
 
-## Generated for SMB/CIFS response messages of type *read andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 responses of type *read andx*. This is the server response to the *read andx* request.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.42
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## data_len: The length of data from the requested file.
+##
+## .. bro:see:: smb1_message smb1_read_andx_request
 event smb1_read_andx_response%(c: connection, hdr: SMB1::Header, data_len: count%);
 

src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif

@@ -1,29 +1,29 @@
-## Generated for SMB/CIFS requests of type *setup andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *setup andx*. This is sent by the client to configure an SMB session.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.53
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## request: The parsed request data of the SMB message. See init-bare for more details.
 ##
+## .. bro:see:: smb1_message smb1_session_setup_andx_response
 event smb1_session_setup_andx_request%(c: connection, hdr: SMB1::Header, request: SMB1::SessionSetupAndXRequest%);
 
-## Generated for SMB/CIFS responses of type *setup andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 responses of type *setup andx*. This is the server response to the *setup andx* request.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.53
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## response: The parsed response data of the SMB message. See init-bare for more details.
 ##
+## .. bro:see:: smb1_message smb1_session_setup_andx_request
 event smb1_session_setup_andx_response%(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse%);
 
 #### Types

src/analyzer/protocol/smb/smb1_com_transaction.bif

@@ -1,11 +1,18 @@
-## Generated for SMB/CIFS requests of type *transaction*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction*. This command serves as the transport for the
+## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
+## which are interprocess communication endpoints within the CIFS file system.
+##
+## For more information, see MS-CIFS:2.2.4.33
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## name: A name string that MAY identify the resource (a specific Mailslot or Named Pipe) 
 ##       against which the operation is performed.
 ##
 ## sub_cmd: The sub command, some may be parsed and have their own events.
+##
+## .. bro:see:: smb1_message smb1_transaction2_request
 event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%);

src/analyzer/protocol/smb/smb1_com_transaction2.bif

@@ -1,73 +1,93 @@
 ### Requests
-
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
-
+## version 1 requests of type *transaction2*. This command serves as the transport for the
-## Generated for SMB/CIFS requests of type *transaction2*.
+## Transaction2 Subprotocol Commands. These commands operate on mailslots and named pipes,
+## which are interprocess communication endpoints within the CIFS file system. Compared to the
+## Transaction Subprotocol Commands, these commands allow clients to set and retrieve Extended
+## Attribute key/value pairs, make use of long file names (longer than the original 8.3 format
+## names), and perform directory searches, among other tasks.
+##
+## For more information, see MS-CIFS:2.2.4.46
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## sub_cmd: The sub command, some are parsed and have their own events.
+##
+## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request
+##    smb1_trans2_get_dfs_referral_request smb1_transaction_request
 event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, sub_cmd: count%);
 
-## Generated for SMB/CIFS transaction2 requests of type *find first2*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin
+## a search for file(s) within a directory or for a directory
+##
+## For more information, see MS-CIFS:2.2.6.2
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## args: A record data structure with arguments given to the command.
+##
+## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request
+##    smb1_trans2_get_dfs_referral_request
 event smb1_trans2_find_first2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Find_First2_Request_Args%);
 
-# TODO - Implementation
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
-# event smb1_trans2_fs_info_request%(c: connection, hdr: SMB1::Header, ??? %);
+## version 1 *transaction2* requests of subtype *query path info*. This transaction is used to
-
+## get information about a specific file or directory.
-## Generated for SMB/CIFS transaction2 requests of type *query path info*.
+##
+## For more information, see MS-CIFS:2.2.6.6
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## file_name: File name the request is in reference to. 
+##
+## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
+##    smb1_trans2_get_dfs_referral_request
 event smb1_trans2_query_path_info_request%(c: connection, hdr: SMB1::Header, file_name: string%);
 
-# TODO - Implementation
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
-# event smb1_trans2_query_file_info_request%(c: connection, hdr: SMB1::Header, file_id: count, information_level: count%);
+## version 1 *transaction2* requests of subtype *get DFS referral*. This transaction is used
-
+## to request a referral for a disk object in DFS.
-# TODO - Implementation
+##
-# event smb1_trans2_set_file_info_request(c: connection, hdr: SMB1::Header, ??? %);
+## For more information, see MS-CIFS:2.2.6.16
-
-## Generated for SMB/CIFS transaction2 requests of type *get DFS referral*.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## file_name: File name the request is in reference to.
+##
+## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
+##    smb1_trans2_query_path_info_request
 event smb1_trans2_get_dfs_referral_request%(c: connection, hdr: SMB1::Header, file_name: string%);
 
-
+# TODO - This is implemented, but not being generated right now
-### Responses
+# event smb1_transaction2_response%(c: connection, hdr: SMB1::Header, sub_cmd: count%);
 
 # TODO - Implementation
-event smb1_transaction2_response%(c: connection, hdr: SMB1::Header, sub_cmd: count%);
 
-# TODO - Implementation
+# event smb1_trans2_fs_info_request%(c: connection, hdr: SMB1::Header, ??? %);
+
+# event smb1_trans2_query_file_info_request%(c: connection, hdr: SMB1::Header, file_id: count, information_level: count%);
+
+# event smb1_trans2_set_file_info_request(c: connection, hdr: SMB1::Header, ??? %);
+
 # event smb1_trans2_find_first2_response%(c: connection, hdr: SMB1::Header, args: SMB1::Find_First2_Response_Args%);
 
-# TODO - Implementation
 # event smb1_trans2_fs_info_response%(c: connection, hdr: SMB1::Header, ??? %);
 
-# TODO - Implementation
 # event smb1_trans2_query_path_info_response%(c: connection, hdr: SMB1::Header, ??? %);
 
-# TODO - Implementation
 # event smb1_trans2_query_file_info_response%(c: connection, hdr: SMB1::Header, ??? %);
 
-# TODO - Implementation
 # event smb1_trans2_set_file_info_response%(c: connection, hdr: SMB1::Header, ??? %);
 
-# TODO - Implementation
 # event smb1_trans2_get_dfs_referral_response%(c: connection, hdr: SMB1::Header, ??? %);
 
 

src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif

@@ -1,30 +1,34 @@
-## Generated for SMB/CIFS requests of type *tree connect andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *tree connect andx*. This is sent by the client to establish a
+## connection to a server share.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.55
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## path: The ``path`` attribute specified in the message.
 ##
 ## service: The ``service`` attribute specified in the message.
+##
+## .. bro:see:: smb1_message smb1_tree_connect_andx_response
 event smb1_tree_connect_andx_request%(c: connection, hdr: SMB1::Header, path: string, service: string%);
 
-## Generated for SMB/CIFS responses of type *tree connect andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 responses of type *tree connect andx*. This is the server reply to the *tree connect andx*
+## request.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.55
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## service: The ``service`` attribute specified in the message.
 ##
 ## native_file_system: The file system of the remote server as indicate by the server.
+##
+## .. bro:see:: smb1_message smb1_tree_connect_andx_request
 event smb1_tree_connect_andx_response%(c: connection, hdr: SMB1::Header, service: string, native_file_system: string%);
 

src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif

@@ -1,13 +1,15 @@
-## Generated for SMB/CIFS messages of type *tree disconnect*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *tree disconnect*. This is sent by the client to logically disconnect
+## client access to a server resource.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.51
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: A record representing the SMB1 header.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## is_orig: True if the message was from the originator.
+##
+## .. bro:see:: smb1_message
 event smb1_tree_disconnect%(c: connection, hdr: SMB1::Header, is_orig: bool%);
 

src/analyzer/protocol/smb/smb1_com_write_andx.bif

@@ -1,27 +1,32 @@
-## Generated for SMB/CIFS request messages of type *write andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *write andx*. This is sent by the client to write bytes to a
+## regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM)
+## or printer port (LPT).
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.43
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## offset: The byte offset into the referenced file data is being written.
 ##
 ## data: The data being written.
+##
+## .. bro:see:: smb1_message smb1_write_andx_response
 event smb1_write_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count%);
 
-## Generated for SMB/CIFS response messages of type *write andx*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 responses of type *write andx*. This is the server response to the *write andx*
+## request.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## For more information, see MS-CIFS:2.2.4.43
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## written_bytes: The number of bytes the server reported having actually written.
+##
+## .. bro:see:: smb1_message smb1_write_andx_request
 event smb1_write_andx_response%(c: connection, hdr: SMB1::Header, written_bytes: count%);

src/analyzer/protocol/smb/smb1_events.bif

@@ -1,32 +1,42 @@
-## Generated for all SMB/CIFS messages.
+## Generated for all :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` version 1
+## messages.
 ##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
-## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
+## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
-## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
+## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
+## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
+## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
 ##
 ## is_orig: True if the message was sent by the originator of the underlying
 ##          transport-level connection.
+##
+## .. bro:see:: smb2_message
 event smb1_message%(c: connection, hdr: SMB1::Header, is_orig: bool%);
 
-## Generated when there is an SMB response with no message body.
+## Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message.
+##
+## .. bro:see:: smb1_message
 event smb1_empty_response%(c: connection, hdr: SMB1::Header%);
 
-## Generated for SMB/CIFS messages that indicate an error. This event is
+## Generated for :abbr:`SMB (Server Message Block)` version 1 messages
-## triggered by an SMB header including a status that signals an error.
+## that indicate an error. This event is triggered by an :abbr:`SMB (Server Message Block)` header
+## including a status that signals an error.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message.
 ##
 ## is_orig: True if the message was sent by the originator of the underlying
 ##          transport-level connection.
+##
+## .. bro:see:: smb1_message
 event smb1_error%(c: connection, hdr: SMB1::Header, is_orig: bool%);
 

src/analyzer/protocol/smb/smb2_com_close.bif

@@ -1,19 +1,31 @@
-## Generated for SMB2 request messages of type *close*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *close*. This is used by the client to close an instance of a
+## file that was opened previously with a successful SMB2 CREATE Request.
+##
+## For more information, see MS-SMB2:2.2.15
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## file_name: The SMB2 GUID of the file being closed.
+##
+## .. bro:see:: smb2_message smb2_close_response
 event smb2_close_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID%);
 
-## Generated for SMB2 response messages of type *close*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 responses of type *close*. This is sent by the server to indicate that an SMB2 CLOSE
+## request was processed successfully.
+##
+## For more information, see MS-SMB2:2.2.16
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## response: A record of attributes returned from the server from the close.
+##
+## .. bro:see:: smb2_message smb2_close_request
 event smb2_close_response%(c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse%);
 
 

src/analyzer/protocol/smb/smb2_com_create.bif

@@ -1,17 +1,27 @@
-## Generated for SMB2 request messages of type *create*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *create*. This is sent by the client to request either creation
+## of or access to a file.
+##
+## For more information, see MS-SMB2:2.2.13
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## file_name: The name of the file being requested.
+##
+## .. bro:see:: smb2_message smb2_create_response
 event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%);
 
-## Generated for SMB2 response messages of type *create*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 responses of type *create*. This is sent by the server to notify the client of
+## the status of its SMB2 CREATE request.
+##
+## For more information, see MS-SMB2:2.2.14
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## file_id: The SMB2 GUID for the file.
 ##
@@ -20,4 +30,6 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%)
 ## times: Timestamps associated with the file in question.
 ##
 ## attrs: File attributes.
+##
+## .. bro:see:: smb2_message smb2_create_request
 event smb2_create_response%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs%);

src/analyzer/protocol/smb/smb2_com_ioctl.bif

@@ -1 +1 @@
-# Emoty.
+# Empty.

src/analyzer/protocol/smb/smb2_com_negotiate.bif

@@ -1,19 +1,31 @@
-## Generated for SMB2 messages of type *negotiate*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *negotiate*. This is used by the client to notify the server what
+## dialects of the SMB2 Protocol the client understands.
+##
+## For more information, see MS-SMB2:2.2.3
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## dialects: A vector of the client's supported dialects.
+##
+## .. bro:see:: smb2_message smb2_negotiate_response
 event smb2_negotiate_request%(c: connection, hdr: SMB2::Header, dialects: index_vec%);
 
-## Generated for SMB2 messages of type *negotiate response*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 responses of type *negotiate*. This is sent by the server to notify the client of
+## the preferred common dialect.
+##
+## For more information, see MS-SMB2:2.2.4
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## response: The negotiate response data structure.
+##
+## .. bro:see:: smb2_message smb2_negotiate_request
 event smb2_negotiate_response%(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse%);
 
 #### Types

src/analyzer/protocol/smb/smb2_com_read.bif

@@ -1,12 +1,18 @@
-## Generated for SMB2 request messages of type *read*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *read*. This is sent by the client to request a read operation on
+## the specified file.
+##
+## For more information, see MS-SMB2:2.2.19
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## file_id: The GUID being used for the file.
 ##
 ## offset: How far into the file this read should be taking place.
 ##
 ## length: The number of bytes of the file being read.
+##
+## .. bro:see:: smb2_message
 event smb2_read_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%);

src/analyzer/protocol/smb/smb2_com_session_setup.bif

@@ -1,19 +1,32 @@
-## Generated for SMB2 request messages of type *session_setup*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *session_setup*. This is sent by the client to request a new
+## authenticated session within a new or existing SMB 2 Protocol transport connection to the
+## server.
+##
+## For more information, see MS-SMB2:2.2.5
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## request: A record containing more information related to the request.
+##
+## .. bro:see:: smb2_message smb2_session_setup_response
 event smb2_session_setup_request%(c: connection, hdr: SMB2::Header, request: SMB2::SessionSetupRequest%);
 
-## Generated for SMB2 response messages of type *session_setup*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 responses of type *session_setup*. This is sent by the server in response to a
+## *session_setup* request.
+##
+## For more information, see MS-SMB2:2.2.6
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## response: A record containing more information related to the response.
+##
+## .. bro:see:: smb2_message smb2_session_setup_request
 event smb2_session_setup_response%(c: connection, hdr: SMB2::Header, response: SMB2::SessionSetupResponse%);
 
 #### Types

src/analyzer/protocol/smb/smb2_com_set_info.bif

@@ -1,31 +1,46 @@
-## Generated for SMB2 request messages of type *set_info*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *rename* subtype.
+##
+## For more information, see MS-SMB2:2.2.39
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
-##
-## request: A record containing more information related to the request.
-event smb2_set_info_request%(c: connection, hdr: SMB2::Header, request: SMB2::SetInfoRequest%);
-
-type SMB2::SetInfoRequest: record;
-
-## Generated for SMB2 SetInfo File request messages of the rename subtype.
-##
-## c: The connection.
-##
-## hdr: The parsed header of the SMB2 message.
 ##
 ## file_id: A GUID to identify the file.
 ##
 ## dst_filename: The filename to rename the file into.
+##
+## .. bro:see:: smb2_message smb2_set_info_request smb2_file_delete
 event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%);
 
-## Generated for SMB2 SetInfo File request messages of the disposition (delete) subtype.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *delete* subtype.
+##
+## For more information, see MS-SMB2:2.2.39
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## delete_pending: A boolean value to indicate that a file should be deleted 
 ##                 when it's closed if set to T.
+##
+## .. bro:see:: smb2_message smb2_set_info_request smb2_file_rename
 event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%);
+
+# TODO - Not implemented
+
+# Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+# version 2 requests of type *set_info*.
+#
+# c: The connection.
+#
+# hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+#
+# request: A record containing more information related to the request.
+#
+# .. bro:see:: smb2_message smb2_file_rename smb2_file_delete
+# event smb2_set_info_request%(c: connection, hdr: SMB2::Header, request: SMB2::SetInfoRequest%);
+#
+# type SMB2::SetInfoRequest: record;

src/analyzer/protocol/smb/smb2_com_tree_connect.bif

@@ -1,19 +1,31 @@
-## Generated for SMB2 request messages of type *tree_connect*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *tree_connect*. This is sent by a client to request access to a
+## particular share on the server.
+##
+## For more information, see MS-SMB2:2.2.9
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## path: Path of the requested tree.
+##
+## .. bro:see:: smb2_message smb2_tree_connect_response
 event smb2_tree_connect_request%(c: connection, hdr: SMB2::Header, path: string%);
 
-## Generated for SMB2 response messages of type *tree_connect*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 responses of type *tree_connect*. This is sent by the server when a *tree_connect*
+## request is successfully processed by the server.
+##
+## For more information, see MS-SMB2:2.2.10
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## response: A record with more information related to the response.
+##
+## .. bro:see:: smb2_message smb2_tree_connect_request
 event smb2_tree_connect_response%(c: connection, hdr: SMB2::Header, response: SMB2::TreeConnectResponse%);
 
 type SMB2::TreeConnectResponse: record;

src/analyzer/protocol/smb/smb2_com_write.bif

@@ -1,12 +1,18 @@
-## Generated for SMB2 request messages of type *write*.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *write*. This is sent by the client to write data to the file or
+## named pipe on the server.
+##
+## For more information, see MS-SMB2:2.2.21
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## file_id: The GUID being used for the file.
 ##
 ## offset: How far into the file this write should be taking place.
 ##
 ## length: The number of bytes of the file being written.
+##
+## .. bro:see:: smb2_message
 event smb2_write_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%);

src/analyzer/protocol/smb/smb2_events.bif

@@ -1,12 +1,17 @@
-## Generated for all SMB2 messages.
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
+## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
+## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
+## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
+## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.
 ##
 ## c: The connection.
 ##
-## hdr: The parsed header of the SMB2 message.
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
 ## is_orig: True if the message came from the originator side.
+##
+## .. bro:see:: smb1_message
 event smb2_message%(c: connection, hdr: SMB2::Header, is_orig: bool%);
-
-
-
-

src/plugin/Manager.cc

@@ -238,6 +238,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 
 			current_plugin->SetDynamic(true);
 			current_plugin->DoConfigure();
+			DBG_LOG(DBG_PLUGINS, "  InitialzingComponents");
 			current_plugin->InitializeComponents();
 
 			if ( current_plugin->APIVersion() != BRO_PLUGIN_API_VERSION )