Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Remove broxygen Sphinx integration

Browse source 
The broxygen-generated files now live in the git repo, have tests
that check that they are up-to-date, and a script to re-generate
them on-demand.
This commit is contained in:
Jon Siwek 2018-12-17 16:25:41 -06:00
parent 9e5e9d04b7
commit 7e9d48f532
549 changed files with 89909 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/bif/__load__.bro.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/bif/__load__.bro
=====================
:Imports: :doc:`base/bif/analyzer.bif.bro </scripts/base/bif/analyzer.bif.bro>`, :doc:`base/bif/bloom-filter.bif.bro </scripts/base/bif/bloom-filter.bif.bro>`, :doc:`base/bif/bro.bif.bro </scripts/base/bif/bro.bif.bro>`, :doc:`base/bif/broxygen.bif.bro </scripts/base/bif/broxygen.bif.bro>`, :doc:`base/bif/cardinality-counter.bif.bro </scripts/base/bif/cardinality-counter.bif.bro>`, :doc:`base/bif/comm.bif.bro </scripts/base/bif/comm.bif.bro>`, :doc:`base/bif/const.bif.bro </scripts/base/bif/const.bif.bro>`, :doc:`base/bif/data.bif.bro </scripts/base/bif/data.bif.bro>`, :doc:`base/bif/event.bif.bro </scripts/base/bif/event.bif.bro>`, :doc:`base/bif/file_analysis.bif.bro </scripts/base/bif/file_analysis.bif.bro>`, :doc:`base/bif/input.bif.bro </scripts/base/bif/input.bif.bro>`, :doc:`base/bif/logging.bif.bro </scripts/base/bif/logging.bif.bro>`, :doc:`base/bif/messaging.bif.bro </scripts/base/bif/messaging.bif.bro>`, :doc:`base/bif/option.bif.bro </scripts/base/bif/option.bif.bro>`, :doc:`base/bif/pcap.bif.bro </scripts/base/bif/pcap.bif.bro>`, :doc:`base/bif/reporter.bif.bro </scripts/base/bif/reporter.bif.bro>`, :doc:`base/bif/stats.bif.bro </scripts/base/bif/stats.bif.bro>`, :doc:`base/bif/store.bif.bro </scripts/base/bif/store.bif.bro>`, :doc:`base/bif/strings.bif.bro </scripts/base/bif/strings.bif.bro>`, :doc:`base/bif/top-k.bif.bro </scripts/base/bif/top-k.bif.bro>`, :doc:`base/bif/types.bif.bro </scripts/base/bif/types.bif.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

66
doc/scripts/base/bif/analyzer.bif.bro.rst Normal file
View file

@ -0,0 +1,66 @@
:tocdepth: 3
base/bif/analyzer.bif.bro
=========================
.. bro:namespace:: Analyzer
.. bro:namespace:: GLOBAL
Internal functions and types used by the analyzer framework.
:Namespaces: Analyzer, GLOBAL
Summary
~~~~~~~
Functions
#########
================================================================= =
:bro:id:`Analyzer::__disable_all_analyzers`: :bro:type:`function`
:bro:id:`Analyzer::__disable_analyzer`: :bro:type:`function`
:bro:id:`Analyzer::__enable_analyzer`: :bro:type:`function`
:bro:id:`Analyzer::__name`: :bro:type:`function`
:bro:id:`Analyzer::__register_for_port`: :bro:type:`function`
:bro:id:`Analyzer::__schedule_analyzer`: :bro:type:`function`
:bro:id:`Analyzer::__tag`: :bro:type:`function`
================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Analyzer::__disable_all_analyzers
:Type: :bro:type:`function` () : :bro:type:`any`
.. bro:id:: Analyzer::__disable_analyzer
:Type: :bro:type:`function` (id: :bro:type:`Analyzer::Tag`) : :bro:type:`bool`
.. bro:id:: Analyzer::__enable_analyzer
:Type: :bro:type:`function` (id: :bro:type:`Analyzer::Tag`) : :bro:type:`bool`
.. bro:id:: Analyzer::__name
:Type: :bro:type:`function` (atype: :bro:type:`Analyzer::Tag`) : :bro:type:`string`
.. bro:id:: Analyzer::__register_for_port
:Type: :bro:type:`function` (id: :bro:type:`Analyzer::Tag`, p: :bro:type:`port`) : :bro:type:`bool`
.. bro:id:: Analyzer::__schedule_analyzer
:Type: :bro:type:`function` (orig: :bro:type:`addr`, resp: :bro:type:`addr`, resp_p: :bro:type:`port`, analyzer: :bro:type:`Analyzer::Tag`, tout: :bro:type:`interval`) : :bro:type:`bool`
.. bro:id:: Analyzer::__tag
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`Analyzer::Tag`

205
doc/scripts/base/bif/bloom-filter.bif.bro.rst Normal file
View file

@ -0,0 +1,205 @@
:tocdepth: 3
base/bif/bloom-filter.bif.bro
=============================
.. bro:namespace:: GLOBAL
Functions to create and manipulate Bloom filters.
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
========================================================== ===================================================================
:bro:id:`bloomfilter_add`: :bro:type:`function` Adds an element to a Bloom filter.
:bro:id:`bloomfilter_basic_init`: :bro:type:`function` Creates a basic Bloom filter.
:bro:id:`bloomfilter_basic_init2`: :bro:type:`function` Creates a basic Bloom filter.
:bro:id:`bloomfilter_clear`: :bro:type:`function` Removes all elements from a Bloom filter.
:bro:id:`bloomfilter_counting_init`: :bro:type:`function` Creates a counting Bloom filter.
:bro:id:`bloomfilter_internal_state`: :bro:type:`function` Returns a string with a representation of a Bloom filter's internal
state.
:bro:id:`bloomfilter_lookup`: :bro:type:`function` Retrieves the counter for a given element in a Bloom filter.
:bro:id:`bloomfilter_merge`: :bro:type:`function` Merges two Bloom filters.
========================================================== ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: bloomfilter_add
:Type: :bro:type:`function` (bf: :bro:type:`opaque` of bloomfilter, x: :bro:type:`any`) : :bro:type:`any`
Adds an element to a Bloom filter.
:bf: The Bloom filter handle.
:x: The element to add.
.. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_lookup bloomfilter_clear
bloomfilter_merge
.. bro:id:: bloomfilter_basic_init
:Type: :bro:type:`function` (fp: :bro:type:`double`, capacity: :bro:type:`count`, name: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`opaque` of bloomfilter
Creates a basic Bloom filter.
:fp: The desired false-positive rate.
:capacity: the maximum number of elements that guarantees a false-positive
rate of *fp*.
:name: A name that uniquely identifies and seeds the Bloom filter. If empty,
the filter will use :bro:id:`global_hash_seed` if that's set, and
otherwise use a local seed tied to the current Bro process. Only
filters with the same seed can be merged with
:bro:id:`bloomfilter_merge`.
:returns: A Bloom filter handle.
.. bro:see:: bloomfilter_basic_init2 bloomfilter_counting_init bloomfilter_add
bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
.. bro:id:: bloomfilter_basic_init2
:Type: :bro:type:`function` (k: :bro:type:`count`, cells: :bro:type:`count`, name: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`opaque` of bloomfilter
Creates a basic Bloom filter. This function serves as a low-level
alternative to :bro:id:`bloomfilter_basic_init` where the user has full
control over the number of hash functions and cells in the underlying bit
vector.
:k: The number of hash functions to use.
:cells: The number of cells of the underlying bit vector.
:name: A name that uniquely identifies and seeds the Bloom filter. If empty,
the filter will use :bro:id:`global_hash_seed` if that's set, and
otherwise use a local seed tied to the current Bro process. Only
filters with the same seed can be merged with
:bro:id:`bloomfilter_merge`.
:returns: A Bloom filter handle.
.. bro:see:: bloomfilter_basic_init bloomfilter_counting_init bloomfilter_add
bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
.. bro:id:: bloomfilter_clear
:Type: :bro:type:`function` (bf: :bro:type:`opaque` of bloomfilter) : :bro:type:`any`
Removes all elements from a Bloom filter. This function resets all bits in
the underlying bitvector back to 0 but does not change the parameterization
of the Bloom filter, such as the element type and the hasher seed.
:bf: The Bloom filter handle.
.. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_add bloomfilter_lookup
bloomfilter_merge
.. bro:id:: bloomfilter_counting_init
:Type: :bro:type:`function` (k: :bro:type:`count`, cells: :bro:type:`count`, max: :bro:type:`count`, name: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`opaque` of bloomfilter
Creates a counting Bloom filter.
:k: The number of hash functions to use.
:cells: The number of cells of the underlying counter vector. As there's
no single answer to what's the best parameterization for a
counting Bloom filter, we refer to the Bloom filter literature
here for choosing an appropiate value.
:max: The maximum counter value associated with each element
described by *w = ceil(log_2(max))* bits. Each bit in the underlying
counter vector becomes a cell of size *w* bits.
:name: A name that uniquely identifies and seeds the Bloom filter. If empty,
the filter will use :bro:id:`global_hash_seed` if that's set, and
otherwise use a local seed tied to the current Bro process. Only
filters with the same seed can be merged with
:bro:id:`bloomfilter_merge`.
:returns: A Bloom filter handle.
.. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 bloomfilter_add
bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
.. bro:id:: bloomfilter_internal_state
:Type: :bro:type:`function` (bf: :bro:type:`opaque` of bloomfilter) : :bro:type:`string`
Returns a string with a representation of a Bloom filter's internal
state. This is for debugging/testing purposes only.
:bf: The Bloom filter handle.
:returns: a string with a representation of a Bloom filter's internal state.
.. bro:id:: bloomfilter_lookup
:Type: :bro:type:`function` (bf: :bro:type:`opaque` of bloomfilter, x: :bro:type:`any`) : :bro:type:`count`
Retrieves the counter for a given element in a Bloom filter.
:bf: The Bloom filter handle.
:x: The element to count.
:returns: the counter associated with *x* in *bf*.
.. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_add bloomfilter_clear
bloomfilter_merge
.. bro:id:: bloomfilter_merge
:Type: :bro:type:`function` (bf1: :bro:type:`opaque` of bloomfilter, bf2: :bro:type:`opaque` of bloomfilter) : :bro:type:`opaque` of bloomfilter
Merges two Bloom filters.
.. note:: Currently Bloom filters created by different Bro instances cannot
be merged. In the future, this will be supported as long as both filters
are created with the same name.
:bf1: The first Bloom filter handle.
:bf2: The second Bloom filter handle.
:returns: The union of *bf1* and *bf2*.
.. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2
bloomfilter_counting_init bloomfilter_add bloomfilter_lookup
bloomfilter_clear

3567
doc/scripts/base/bif/bro.bif.bro.rst Normal file
View file

File diff suppressed because it is too large Load diff

88
doc/scripts/base/bif/broxygen.bif.bro.rst Normal file
View file

@ -0,0 +1,88 @@
:tocdepth: 3
base/bif/broxygen.bif.bro
=========================
.. bro:namespace:: GLOBAL
Functions for querying script, package, or variable documentation.
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
========================================================= =============================================================================
:bro:id:`get_identifier_comments`: :bro:type:`function` Retrieve the Broxygen-style comments (``##``) associated with an identifier
(e.g.
:bro:id:`get_package_readme`: :bro:type:`function` Retrieve the contents of a Bro script package's README file.
:bro:id:`get_record_field_comments`: :bro:type:`function` Retrieve the Broxygen-style comments (``##``) associated with a record field.
:bro:id:`get_script_comments`: :bro:type:`function` Retrieve the Broxygen-style summary comments (``##!``) associated with
a Bro script.
========================================================= =============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: get_identifier_comments
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`string`
Retrieve the Broxygen-style comments (``##``) associated with an identifier
(e.g. a variable or type).
:name: a script-level identifier for which to retrieve comments.
:returns: comments associated with *name*. If *name* is not a known
identifier, an empty string is returned.
.. bro:id:: get_package_readme
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`string`
Retrieve the contents of a Bro script package's README file.
:name: the name of a Bro script package. It must be a relative path
to where it is located within a particular component of BROPATH.
:returns: contents of the package's README file. If *name* is not a known
package, an empty string is returned.
.. bro:id:: get_record_field_comments
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`string`
Retrieve the Broxygen-style comments (``##``) associated with a record field.
:name: the name of a record type and a field within it formatted like
a typical record field access: "<record_type>$<field>".
:returns: comments associated with the record field. If *name* does
not point to a known record type or a known field within a record
type, an empty string is returned.
.. bro:id:: get_script_comments
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`string`
Retrieve the Broxygen-style summary comments (``##!``) associated with
a Bro script.
:name: the name of a Bro script. It must be a relative path to where
it is located within a particular component of BROPATH and use
the same file name extension/suffix as the actual file (e.g. ".bro").
:returns: summary comments associated with script with *name*. If
*name* is not a known script, an empty string is returned.

117
doc/scripts/base/bif/cardinality-counter.bif.bro.rst Normal file
View file

@ -0,0 +1,117 @@
:tocdepth: 3
base/bif/cardinality-counter.bif.bro
====================================
.. bro:namespace:: GLOBAL
Functions to create and manipulate probabilistic cardinality counters.
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
========================================================== =========================================================================
:bro:id:`hll_cardinality_add`: :bro:type:`function` Adds an element to a HyperLogLog cardinality counter.
:bro:id:`hll_cardinality_copy`: :bro:type:`function` Copy a HLL cardinality counter.
:bro:id:`hll_cardinality_estimate`: :bro:type:`function` Estimate the current cardinality of an HLL cardinality counter.
:bro:id:`hll_cardinality_init`: :bro:type:`function` Initializes a probabilistic cardinality counter that uses the HyperLogLog
algorithm.
:bro:id:`hll_cardinality_merge_into`: :bro:type:`function` Merges a HLL cardinality counter into another.
========================================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: hll_cardinality_add
:Type: :bro:type:`function` (handle: :bro:type:`opaque` of cardinality, elem: :bro:type:`any`) : :bro:type:`bool`
Adds an element to a HyperLogLog cardinality counter.
:handle: the HLL handle.
:elem: the element to add.
:returns: true on success.
.. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into
hll_cardinality_init hll_cardinality_copy
.. bro:id:: hll_cardinality_copy
:Type: :bro:type:`function` (handle: :bro:type:`opaque` of cardinality) : :bro:type:`opaque` of cardinality
Copy a HLL cardinality counter.
:handle: cardinality counter to copy.
:returns: copy of handle.
.. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add
hll_cardinality_init
.. bro:id:: hll_cardinality_estimate
:Type: :bro:type:`function` (handle: :bro:type:`opaque` of cardinality) : :bro:type:`double`
Estimate the current cardinality of an HLL cardinality counter.
:handle: the HLL handle.
:returns: the cardinality estimate. Returns -1.0 if the counter is empty.
.. bro:see:: hll_cardinality_merge_into hll_cardinality_add
hll_cardinality_init hll_cardinality_copy
.. bro:id:: hll_cardinality_init
:Type: :bro:type:`function` (err: :bro:type:`double`, confidence: :bro:type:`double`) : :bro:type:`opaque` of cardinality
Initializes a probabilistic cardinality counter that uses the HyperLogLog
algorithm.
:err: the desired error rate (e.g. 0.01).
:confidence: the desired confidence for the error rate (e.g., 0.95).
:returns: a HLL cardinality handle.
.. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add
hll_cardinality_copy
.. bro:id:: hll_cardinality_merge_into
:Type: :bro:type:`function` (handle1: :bro:type:`opaque` of cardinality, handle2: :bro:type:`opaque` of cardinality) : :bro:type:`bool`
Merges a HLL cardinality counter into another.
.. note:: The same restrictions as for Bloom filter merging apply,
see :bro:id:`bloomfilter_merge`.
:handle1: the first HLL handle, which will contain the merged result.
:handle2: the second HLL handle, which will be merged into the first.
:returns: true on success.
.. bro:see:: hll_cardinality_estimate hll_cardinality_add
hll_cardinality_init hll_cardinality_copy

96
doc/scripts/base/bif/comm.bif.bro.rst Normal file
View file

@ -0,0 +1,96 @@
:tocdepth: 3
base/bif/comm.bif.bro
=====================
.. bro:namespace:: Broker
.. bro:namespace:: GLOBAL
Functions and events regarding Bro's broker communication mechanisms.
:Namespaces: Broker, GLOBAL
Summary
~~~~~~~
Events
######
================================================= ==========================================================
:bro:id:`Broker::error`: :bro:type:`event` Generated when an error occurs in the Broker sub-system.
:bro:id:`Broker::peer_added`: :bro:type:`event` Generated when a new peering has been established.
:bro:id:`Broker::peer_lost`: :bro:type:`event` Generated when an existing peering has been lost.
:bro:id:`Broker::peer_removed`: :bro:type:`event` Generated when an existing peer has been removed.
:bro:id:`Broker::status`: :bro:type:`event` Generated when something changes in the Broker sub-system.
================================================= ==========================================================
Functions
#########
================================================= =
:bro:id:`Broker::__listen`: :bro:type:`function`
:bro:id:`Broker::__node_id`: :bro:type:`function`
:bro:id:`Broker::__peer`: :bro:type:`function`
:bro:id:`Broker::__peers`: :bro:type:`function`
:bro:id:`Broker::__unpeer`: :bro:type:`function`
================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: Broker::error
:Type: :bro:type:`event` (code: :bro:type:`Broker::ErrorCode`, msg: :bro:type:`string`)
Generated when an error occurs in the Broker sub-system.
.. bro:id:: Broker::peer_added
:Type: :bro:type:`event` (endpoint: :bro:type:`Broker::EndpointInfo`, msg: :bro:type:`string`)
Generated when a new peering has been established.
.. bro:id:: Broker::peer_lost
:Type: :bro:type:`event` (endpoint: :bro:type:`Broker::EndpointInfo`, msg: :bro:type:`string`)
Generated when an existing peering has been lost.
.. bro:id:: Broker::peer_removed
:Type: :bro:type:`event` (endpoint: :bro:type:`Broker::EndpointInfo`, msg: :bro:type:`string`)
Generated when an existing peer has been removed.
.. bro:id:: Broker::status
:Type: :bro:type:`event` (endpoint: :bro:type:`Broker::EndpointInfo`, msg: :bro:type:`string`)
Generated when something changes in the Broker sub-system.
Functions
#########
.. bro:id:: Broker::__listen
:Type: :bro:type:`function` (a: :bro:type:`string`, p: :bro:type:`port`) : :bro:type:`port`
.. bro:id:: Broker::__node_id
:Type: :bro:type:`function` () : :bro:type:`string`
.. bro:id:: Broker::__peer
:Type: :bro:type:`function` (a: :bro:type:`string`, p: :bro:type:`port`, retry: :bro:type:`interval`) : :bro:type:`bool`
.. bro:id:: Broker::__peers
:Type: :bro:type:`function` () : :bro:type:`Broker::PeerInfos`
.. bro:id:: Broker::__unpeer
:Type: :bro:type:`function` (a: :bro:type:`string`, p: :bro:type:`port`) : :bro:type:`bool`

18
doc/scripts/base/bif/const.bif.bro.rst Normal file
View file

@ -0,0 +1,18 @@
:tocdepth: 3
base/bif/const.bif.bro
======================
.. bro:namespace:: GLOBAL
Declaration of various scripting-layer constants that the Bro core uses
internally. Documentation and default values for the scripting-layer
variables themselves are found in :doc:`/scripts/base/init-bare.bro`.
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

322
doc/scripts/base/bif/data.bif.bro.rst Normal file
View file

@ -0,0 +1,322 @@
:tocdepth: 3
base/bif/data.bif.bro
=====================
.. bro:namespace:: Broker
.. bro:namespace:: GLOBAL
Functions for inspecting and manipulating broker data.
:Namespaces: Broker, GLOBAL
Summary
~~~~~~~
Types
#####
============================================== ====================================================================
:bro:type:`Broker::DataType`: :bro:type:`enum` Enumerates the possible types that :bro:see:`Broker::Data` may be in
terms of Bro data types.
============================================== ====================================================================
Functions
#########
=============================================================== =
:bro:id:`Broker::__data`: :bro:type:`function`
:bro:id:`Broker::__data_type`: :bro:type:`function`
:bro:id:`Broker::__record_assign`: :bro:type:`function`
:bro:id:`Broker::__record_create`: :bro:type:`function`
:bro:id:`Broker::__record_iterator`: :bro:type:`function`
:bro:id:`Broker::__record_iterator_last`: :bro:type:`function`
:bro:id:`Broker::__record_iterator_next`: :bro:type:`function`
:bro:id:`Broker::__record_iterator_value`: :bro:type:`function`
:bro:id:`Broker::__record_lookup`: :bro:type:`function`
:bro:id:`Broker::__record_size`: :bro:type:`function`
:bro:id:`Broker::__set_clear`: :bro:type:`function`
:bro:id:`Broker::__set_contains`: :bro:type:`function`
:bro:id:`Broker::__set_create`: :bro:type:`function`
:bro:id:`Broker::__set_insert`: :bro:type:`function`
:bro:id:`Broker::__set_iterator`: :bro:type:`function`
:bro:id:`Broker::__set_iterator_last`: :bro:type:`function`
:bro:id:`Broker::__set_iterator_next`: :bro:type:`function`
:bro:id:`Broker::__set_iterator_value`: :bro:type:`function`
:bro:id:`Broker::__set_remove`: :bro:type:`function`
:bro:id:`Broker::__set_size`: :bro:type:`function`
:bro:id:`Broker::__table_clear`: :bro:type:`function`
:bro:id:`Broker::__table_contains`: :bro:type:`function`
:bro:id:`Broker::__table_create`: :bro:type:`function`
:bro:id:`Broker::__table_insert`: :bro:type:`function`
:bro:id:`Broker::__table_iterator`: :bro:type:`function`
:bro:id:`Broker::__table_iterator_last`: :bro:type:`function`
:bro:id:`Broker::__table_iterator_next`: :bro:type:`function`
:bro:id:`Broker::__table_iterator_value`: :bro:type:`function`
:bro:id:`Broker::__table_lookup`: :bro:type:`function`
:bro:id:`Broker::__table_remove`: :bro:type:`function`
:bro:id:`Broker::__table_size`: :bro:type:`function`
:bro:id:`Broker::__vector_clear`: :bro:type:`function`
:bro:id:`Broker::__vector_create`: :bro:type:`function`
:bro:id:`Broker::__vector_insert`: :bro:type:`function`
:bro:id:`Broker::__vector_iterator`: :bro:type:`function`
:bro:id:`Broker::__vector_iterator_last`: :bro:type:`function`
:bro:id:`Broker::__vector_iterator_next`: :bro:type:`function`
:bro:id:`Broker::__vector_iterator_value`: :bro:type:`function`
:bro:id:`Broker::__vector_lookup`: :bro:type:`function`
:bro:id:`Broker::__vector_remove`: :bro:type:`function`
:bro:id:`Broker::__vector_replace`: :bro:type:`function`
:bro:id:`Broker::__vector_size`: :bro:type:`function`
=============================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: Broker::DataType
:Type: :bro:type:`enum`
.. bro:enum:: Broker::NONE Broker::DataType
.. bro:enum:: Broker::BOOL Broker::DataType
.. bro:enum:: Broker::INT Broker::DataType
.. bro:enum:: Broker::COUNT Broker::DataType
.. bro:enum:: Broker::DOUBLE Broker::DataType
.. bro:enum:: Broker::STRING Broker::DataType
.. bro:enum:: Broker::ADDR Broker::DataType
.. bro:enum:: Broker::SUBNET Broker::DataType
.. bro:enum:: Broker::PORT Broker::DataType
.. bro:enum:: Broker::TIME Broker::DataType
.. bro:enum:: Broker::INTERVAL Broker::DataType
.. bro:enum:: Broker::ENUM Broker::DataType
.. bro:enum:: Broker::SET Broker::DataType
.. bro:enum:: Broker::TABLE Broker::DataType
.. bro:enum:: Broker::VECTOR Broker::DataType
Enumerates the possible types that :bro:see:`Broker::Data` may be in
terms of Bro data types.
Functions
#########
.. bro:id:: Broker::__data
:Type: :bro:type:`function` (d: :bro:type:`any`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__data_type
:Type: :bro:type:`function` (d: :bro:type:`Broker::Data`) : :bro:type:`Broker::DataType`
.. bro:id:: Broker::__record_assign
:Type: :bro:type:`function` (r: :bro:type:`Broker::Data`, idx: :bro:type:`count`, d: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__record_create
:Type: :bro:type:`function` (sz: :bro:type:`count`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__record_iterator
:Type: :bro:type:`function` (r: :bro:type:`Broker::Data`) : :bro:type:`opaque` of Broker::RecordIterator
.. bro:id:: Broker::__record_iterator_last
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::RecordIterator) : :bro:type:`bool`
.. bro:id:: Broker::__record_iterator_next
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::RecordIterator) : :bro:type:`bool`
.. bro:id:: Broker::__record_iterator_value
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::RecordIterator) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__record_lookup
:Type: :bro:type:`function` (r: :bro:type:`Broker::Data`, idx: :bro:type:`count`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__record_size
:Type: :bro:type:`function` (r: :bro:type:`Broker::Data`) : :bro:type:`count`
.. bro:id:: Broker::__set_clear
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`) : :bro:type:`bool`
.. bro:id:: Broker::__set_contains
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__set_create
:Type: :bro:type:`function` () : :bro:type:`Broker::Data`
.. bro:id:: Broker::__set_insert
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__set_iterator
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`) : :bro:type:`opaque` of Broker::SetIterator
.. bro:id:: Broker::__set_iterator_last
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::SetIterator) : :bro:type:`bool`
.. bro:id:: Broker::__set_iterator_next
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::SetIterator) : :bro:type:`bool`
.. bro:id:: Broker::__set_iterator_value
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::SetIterator) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__set_remove
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__set_size
:Type: :bro:type:`function` (s: :bro:type:`Broker::Data`) : :bro:type:`count`
.. bro:id:: Broker::__table_clear
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`) : :bro:type:`bool`
.. bro:id:: Broker::__table_contains
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__table_create
:Type: :bro:type:`function` () : :bro:type:`Broker::Data`
.. bro:id:: Broker::__table_insert
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`, key: :bro:type:`any`, val: :bro:type:`any`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__table_iterator
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`) : :bro:type:`opaque` of Broker::TableIterator
.. bro:id:: Broker::__table_iterator_last
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::TableIterator) : :bro:type:`bool`
.. bro:id:: Broker::__table_iterator_next
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::TableIterator) : :bro:type:`bool`
.. bro:id:: Broker::__table_iterator_value
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::TableIterator) : :bro:type:`Broker::TableItem`
.. bro:id:: Broker::__table_lookup
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__table_remove
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`, key: :bro:type:`any`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__table_size
:Type: :bro:type:`function` (t: :bro:type:`Broker::Data`) : :bro:type:`count`
.. bro:id:: Broker::__vector_clear
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`) : :bro:type:`bool`
.. bro:id:: Broker::__vector_create
:Type: :bro:type:`function` () : :bro:type:`Broker::Data`
.. bro:id:: Broker::__vector_insert
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`, idx: :bro:type:`count`, d: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__vector_iterator
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`) : :bro:type:`opaque` of Broker::VectorIterator
.. bro:id:: Broker::__vector_iterator_last
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::VectorIterator) : :bro:type:`bool`
.. bro:id:: Broker::__vector_iterator_next
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::VectorIterator) : :bro:type:`bool`
.. bro:id:: Broker::__vector_iterator_value
:Type: :bro:type:`function` (it: :bro:type:`opaque` of Broker::VectorIterator) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__vector_lookup
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`, idx: :bro:type:`count`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__vector_remove
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`, idx: :bro:type:`count`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__vector_replace
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`, idx: :bro:type:`count`, d: :bro:type:`any`) : :bro:type:`Broker::Data`
.. bro:id:: Broker::__vector_size
:Type: :bro:type:`function` (v: :bro:type:`Broker::Data`) : :bro:type:`count`

1507
doc/scripts/base/bif/event.bif.bro.rst Normal file
View file

File diff suppressed because it is too large Load diff

111
doc/scripts/base/bif/file_analysis.bif.bro.rst Normal file
View file

@ -0,0 +1,111 @@
:tocdepth: 3
base/bif/file_analysis.bif.bro
==============================
.. bro:namespace:: Files
.. bro:namespace:: GLOBAL
Internal functions and types used by the file analysis framework.
:Namespaces: Files, GLOBAL
Summary
~~~~~~~
Functions
#########
============================================================== ===================================================================
:bro:id:`Files::__add_analyzer`: :bro:type:`function` :bro:see:`Files::add_analyzer`.
:bro:id:`Files::__analyzer_name`: :bro:type:`function` :bro:see:`Files::analyzer_name`.
:bro:id:`Files::__disable_reassembly`: :bro:type:`function` :bro:see:`Files::disable_reassembly`.
:bro:id:`Files::__enable_reassembly`: :bro:type:`function` :bro:see:`Files::enable_reassembly`.
:bro:id:`Files::__file_exists`: :bro:type:`function` :bro:see:`Files::file_exists`.
:bro:id:`Files::__lookup_file`: :bro:type:`function` :bro:see:`Files::lookup_file`.
:bro:id:`Files::__remove_analyzer`: :bro:type:`function` :bro:see:`Files::remove_analyzer`.
:bro:id:`Files::__set_reassembly_buffer`: :bro:type:`function` :bro:see:`Files::set_reassembly_buffer_size`.
:bro:id:`Files::__set_timeout_interval`: :bro:type:`function` :bro:see:`Files::set_timeout_interval`.
:bro:id:`Files::__stop`: :bro:type:`function` :bro:see:`Files::stop`.
:bro:id:`set_file_handle`: :bro:type:`function` For use within a :bro:see:`get_file_handle` handler to set a unique
identifier to associate with the current input to the file analysis
framework.
============================================================== ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Files::__add_analyzer
:Type: :bro:type:`function` (file_id: :bro:type:`string`, tag: :bro:type:`Files::Tag`, args: :bro:type:`any`) : :bro:type:`bool`
:bro:see:`Files::add_analyzer`.
.. bro:id:: Files::__analyzer_name
:Type: :bro:type:`function` (tag: :bro:type:`Files::Tag`) : :bro:type:`string`
:bro:see:`Files::analyzer_name`.
.. bro:id:: Files::__disable_reassembly
:Type: :bro:type:`function` (file_id: :bro:type:`string`) : :bro:type:`bool`
:bro:see:`Files::disable_reassembly`.
.. bro:id:: Files::__enable_reassembly
:Type: :bro:type:`function` (file_id: :bro:type:`string`) : :bro:type:`bool`
:bro:see:`Files::enable_reassembly`.
.. bro:id:: Files::__file_exists
:Type: :bro:type:`function` (fuid: :bro:type:`string`) : :bro:type:`bool`
:bro:see:`Files::file_exists`.
.. bro:id:: Files::__lookup_file
:Type: :bro:type:`function` (fuid: :bro:type:`string`) : :bro:type:`fa_file`
:bro:see:`Files::lookup_file`.
.. bro:id:: Files::__remove_analyzer
:Type: :bro:type:`function` (file_id: :bro:type:`string`, tag: :bro:type:`Files::Tag`, args: :bro:type:`any`) : :bro:type:`bool`
:bro:see:`Files::remove_analyzer`.
.. bro:id:: Files::__set_reassembly_buffer
:Type: :bro:type:`function` (file_id: :bro:type:`string`, max: :bro:type:`count`) : :bro:type:`bool`
:bro:see:`Files::set_reassembly_buffer_size`.
.. bro:id:: Files::__set_timeout_interval
:Type: :bro:type:`function` (file_id: :bro:type:`string`, t: :bro:type:`interval`) : :bro:type:`bool`
:bro:see:`Files::set_timeout_interval`.
.. bro:id:: Files::__stop
:Type: :bro:type:`function` (file_id: :bro:type:`string`) : :bro:type:`bool`
:bro:see:`Files::stop`.
.. bro:id:: set_file_handle
:Type: :bro:type:`function` (handle: :bro:type:`string`) : :bro:type:`any`
For use within a :bro:see:`get_file_handle` handler to set a unique
identifier to associate with the current input to the file analysis
framework. Using an empty string for the handle signifies that the
input will be ignored/discarded.
:handle: A string that uniquely identifies a file.
.. bro:see:: get_file_handle

466
doc/scripts/base/bif/index.rst Normal file
View file

@ -0,0 +1,466 @@
:orphan:
Package: base/bif
=================
:doc:`/scripts/base/bif/const.bif.bro`
Declaration of various scripting-layer constants that the Bro core uses
internally. Documentation and default values for the scripting-layer
variables themselves are found in :doc:`/scripts/base/init-bare.bro`.
:doc:`/scripts/base/bif/types.bif.bro`
Declaration of various types that the Bro core uses internally.
:doc:`/scripts/base/bif/bro.bif.bro`
A collection of built-in functions that implement a variety of things
such as general programming algorithms, string processing, math functions,
introspection, type conversion, file/directory manipulation, packet
filtering, interprocess communication and controlling protocol analyzer
behavior.
You'll find most of Bro's built-in functions that aren't protocol-specific
in this file.
:doc:`/scripts/base/bif/stats.bif.bro`
:doc:`/scripts/base/bif/reporter.bif.bro`
The reporter built-in functions allow for the scripting layer to
generate messages of varying severity. If no event handlers
exist for reporter messages, the messages are output to stderr.
If event handlers do exist, it's assumed they take care of determining
how/where to output the messages.
See :doc:`/scripts/base/frameworks/reporter/main.bro` for a convenient
reporter message logging framework.
:doc:`/scripts/base/bif/strings.bif.bro`
Definitions of built-in functions related to string processing and
manipulation.
:doc:`/scripts/base/bif/option.bif.bro`
Definitions of built-in functions that allow the scripting layer to
change the value of options and to be notified when option values change.
:doc:`/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_KRB.types.bif.bro`
:doc:`/scripts/base/bif/event.bif.bro`
The protocol-independent events that the C/C++ core of Bro can generate.
This is mostly events not related to a specific transport- or
application-layer protocol, but also includes a few that may be generated
by more than one protocols analyzer (like events generated by both UDP and
TCP analysis.)
:doc:`/scripts/base/bif/logging.bif.bro`
Internal functions and types used by the logging framework.
:doc:`/scripts/base/bif/comm.bif.bro`
Functions and events regarding Bro's broker communication mechanisms.
:doc:`/scripts/base/bif/messaging.bif.bro`
Functions for peering and various messaging patterns.
:doc:`/scripts/base/bif/data.bif.bro`
Functions for inspecting and manipulating broker data.
:doc:`/scripts/base/bif/store.bif.bro`
Functions to interface with broker's distributed data store.
:doc:`/scripts/base/bif/input.bif.bro`
Internal functions and types used by the input framework.
:doc:`/scripts/base/bif/analyzer.bif.bro`
Internal functions and types used by the analyzer framework.
:doc:`/scripts/base/bif/file_analysis.bif.bro`
Internal functions and types used by the file analysis framework.
:doc:`/scripts/base/bif/__load__.bro`
:doc:`/scripts/base/bif/broxygen.bif.bro`
Functions for querying script, package, or variable documentation.
:doc:`/scripts/base/bif/pcap.bif.bro`
:doc:`/scripts/base/bif/bloom-filter.bif.bro`
Functions to create and manipulate Bloom filters.
:doc:`/scripts/base/bif/cardinality-counter.bif.bro`
Functions to create and manipulate probabilistic cardinality counters.
:doc:`/scripts/base/bif/top-k.bif.bro`
Functions to probabilistically determine top-k elements.
:doc:`/scripts/base/bif/plugins/__load__.bro`
:doc:`/scripts/base/bif/plugins/Bro_ARP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_DNS.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_File.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Finger.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_FTP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Ident.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_IRC.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_KRB.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Login.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Login.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_MIME.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NCP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NTP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_POP3.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RDP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RDP.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RFB.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RPC.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SIP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMB.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SSH.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SSH.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SSL.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SSL.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_TCP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_UDP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro`
Internal functions used by the extraction file analyzer.
:doc:`/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_PE.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_X509.events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_X509.types.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_X509.functions.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro`
:doc:`/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro`

54
doc/scripts/base/bif/input.bif.bro.rst Normal file
View file

@ -0,0 +1,54 @@
:tocdepth: 3
base/bif/input.bif.bro
======================
.. bro:namespace:: GLOBAL
.. bro:namespace:: Input
Internal functions and types used by the input framework.
:Namespaces: GLOBAL, Input
Summary
~~~~~~~
Functions
#########
=============================================================== =
:bro:id:`Input::__create_analysis_stream`: :bro:type:`function`
:bro:id:`Input::__create_event_stream`: :bro:type:`function`
:bro:id:`Input::__create_table_stream`: :bro:type:`function`
:bro:id:`Input::__force_update`: :bro:type:`function`
:bro:id:`Input::__remove_stream`: :bro:type:`function`
=============================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Input::__create_analysis_stream
:Type: :bro:type:`function` (description: :bro:type:`Input::AnalysisDescription`) : :bro:type:`bool`
.. bro:id:: Input::__create_event_stream
:Type: :bro:type:`function` (description: :bro:type:`Input::EventDescription`) : :bro:type:`bool`
.. bro:id:: Input::__create_table_stream
:Type: :bro:type:`function` (description: :bro:type:`Input::TableDescription`) : :bro:type:`bool`
.. bro:id:: Input::__force_update
:Type: :bro:type:`function` (id: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Input::__remove_stream
:Type: :bro:type:`function` (id: :bro:type:`string`) : :bro:type:`bool`

78
doc/scripts/base/bif/logging.bif.bro.rst Normal file
View file

@ -0,0 +1,78 @@
:tocdepth: 3
base/bif/logging.bif.bro
========================
.. bro:namespace:: GLOBAL
.. bro:namespace:: Log
Internal functions and types used by the logging framework.
:Namespaces: GLOBAL, Log
Summary
~~~~~~~
Functions
#########
===================================================== =
:bro:id:`Log::__add_filter`: :bro:type:`function`
:bro:id:`Log::__create_stream`: :bro:type:`function`
:bro:id:`Log::__disable_stream`: :bro:type:`function`
:bro:id:`Log::__enable_stream`: :bro:type:`function`
:bro:id:`Log::__flush`: :bro:type:`function`
:bro:id:`Log::__remove_filter`: :bro:type:`function`
:bro:id:`Log::__remove_stream`: :bro:type:`function`
:bro:id:`Log::__set_buf`: :bro:type:`function`
:bro:id:`Log::__write`: :bro:type:`function`
===================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Log::__add_filter
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`, filter: :bro:type:`Log::Filter`) : :bro:type:`bool`
.. bro:id:: Log::__create_stream
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`, stream: :bro:type:`Log::Stream`) : :bro:type:`bool`
.. bro:id:: Log::__disable_stream
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`) : :bro:type:`bool`
.. bro:id:: Log::__enable_stream
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`) : :bro:type:`bool`
.. bro:id:: Log::__flush
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`) : :bro:type:`bool`
.. bro:id:: Log::__remove_filter
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`, name: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Log::__remove_stream
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`) : :bro:type:`bool`
.. bro:id:: Log::__set_buf
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`, buffered: :bro:type:`bool`) : :bro:type:`bool`
.. bro:id:: Log::__write
:Type: :bro:type:`function` (id: :bro:type:`Log::ID`, columns: :bro:type:`any`) : :bro:type:`bool`

151
doc/scripts/base/bif/messaging.bif.bro.rst Normal file
View file

@ -0,0 +1,151 @@
:tocdepth: 3
base/bif/messaging.bif.bro
==========================
.. bro:namespace:: Broker
.. bro:namespace:: Cluster
.. bro:namespace:: GLOBAL
Functions for peering and various messaging patterns.
:Namespaces: Broker, Cluster, GLOBAL
Summary
~~~~~~~
Functions
#########
======================================================== ===================================================================
:bro:id:`Broker::__auto_publish`: :bro:type:`function`
:bro:id:`Broker::__auto_unpublish`: :bro:type:`function`
:bro:id:`Broker::__flush_logs`: :bro:type:`function`
:bro:id:`Broker::__forward`: :bro:type:`function`
:bro:id:`Broker::__publish_id`: :bro:type:`function`
:bro:id:`Broker::__subscribe`: :bro:type:`function`
:bro:id:`Broker::__unsubscribe`: :bro:type:`function`
:bro:id:`Broker::make_event`: :bro:type:`function` Create a data structure that may be used to send a remote event via
:bro:see:`Broker::publish`.
:bro:id:`Broker::publish`: :bro:type:`function` Publishes an event at a given topic.
:bro:id:`Cluster::publish_hrw`: :bro:type:`function` Publishes an event to a node within a pool according to Rendezvous
(Highest Random Weight) hashing strategy.
:bro:id:`Cluster::publish_rr`: :bro:type:`function` Publishes an event to a node within a pool according to Round-Robin
distribution strategy.
======================================================== ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Broker::__auto_publish
:Type: :bro:type:`function` (topic: :bro:type:`string`, ev: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__auto_unpublish
:Type: :bro:type:`function` (topic: :bro:type:`string`, ev: :bro:type:`any`) : :bro:type:`bool`
.. bro:id:: Broker::__flush_logs
:Type: :bro:type:`function` () : :bro:type:`count`
.. bro:id:: Broker::__forward
:Type: :bro:type:`function` (topic_prefix: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Broker::__publish_id
:Type: :bro:type:`function` (topic: :bro:type:`string`, id: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Broker::__subscribe
:Type: :bro:type:`function` (topic_prefix: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Broker::__unsubscribe
:Type: :bro:type:`function` (topic_prefix: :bro:type:`string`) : :bro:type:`bool`
.. bro:id:: Broker::make_event
:Type: :bro:type:`function` (...) : :bro:type:`Broker::Event`
Create a data structure that may be used to send a remote event via
:bro:see:`Broker::publish`.
:args: an event, followed by a list of argument values that may be used
to call it.
:returns: opaque communication data that may be used to send a remote
event.
.. bro:id:: Broker::publish
:Type: :bro:type:`function` (...) : :bro:type:`bool`
Publishes an event at a given topic.
:topic: a topic associated with the event message.
:args: Either the event arguments as already made by
:bro:see:`Broker::make_event` or the argument list to pass along
to it.
:returns: true if the message is sent.
.. bro:id:: Cluster::publish_hrw
:Type: :bro:type:`function` (...) : :bro:type:`bool`
Publishes an event to a node within a pool according to Rendezvous
(Highest Random Weight) hashing strategy.
:pool: the pool of nodes that are eligible to receive the event.
:key: data used for input to the hashing function that will uniformly
distribute keys among available nodes.
:args: Either the event arguments as already made by
:bro:see:`Broker::make_event` or the argument list to pass along
to it.
:returns: true if the message is sent.
.. bro:id:: Cluster::publish_rr
:Type: :bro:type:`function` (...) : :bro:type:`bool`
Publishes an event to a node within a pool according to Round-Robin
distribution strategy.
:pool: the pool of nodes that are eligible to receive the event.
:key: an arbitrary string to identify the purpose for which you're
distributing the event. e.g. consider using namespacing of your
script like "Intel::cluster_rr_key".
:args: Either the event arguments as already made by
:bro:see:`Broker::make_event` or the argument list to pass along
to it.
:returns: true if the message is sent.

86
doc/scripts/base/bif/option.bif.bro.rst Normal file
View file

@ -0,0 +1,86 @@
:tocdepth: 3
base/bif/option.bif.bro
=======================
.. bro:namespace:: GLOBAL
.. bro:namespace:: Option
Definitions of built-in functions that allow the scripting layer to
change the value of options and to be notified when option values change.
:Namespaces: GLOBAL, Option
Summary
~~~~~~~
Functions
#########
========================================================== ===================================
:bro:id:`Option::set`: :bro:type:`function` Set an option to a new value.
:bro:id:`Option::set_change_handler`: :bro:type:`function` Set a change handler for an option.
========================================================== ===================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Option::set
:Type: :bro:type:`function` (ID: :bro:type:`string`, val: :bro:type:`any`, location: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`) : :bro:type:`bool`
Set an option to a new value. This change will also cause the option change
handlers to be called.
:ID: The ID of the option to update.
:val: The new value of the option.
:location: Optional parameter detailing where this change originated from.
:returns: true on success, false when an error occurred.
.. bro:see:: Option::set_change_handler Config::set_value
.. note:: :bro:id:`Option::set` only works on one node and does not distribute
new values across a cluster. The higher-level :bro:id:`Config::set_value`
supports clusterization and should typically be used instead of this
lower-level function.
.. bro:id:: Option::set_change_handler
:Type: :bro:type:`function` (ID: :bro:type:`string`, on_change: :bro:type:`any`, priority: :bro:type:`int` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`) : :bro:type:`bool`
Set a change handler for an option. The change handler will be
called anytime :bro:id:`Option::set` is called for the option.
:ID: The ID of the option for which change notifications are desired.
:on_change: The function that will be called when a change occurs. The
function can choose to receive two or three parameters: the first
parameter is a string containing *ID*, the second parameter is
the new option value. The third, optional, parameter is the
location string as passed to Option::set. Note that the global
value is not yet changed when the function is called. The passed
function has to return the new value that it wants the option to
be set to. This enables it to reject changes, or change values
that are being set. When several change handlers are set for an
option they are chained; the second change handler will see the
return value of the first change handler as the "new value".
:priority: The priority of the function that was added; functions with higher
priority are called first, functions with the same priority are
called in the order in which they were added.
:returns: true when the change handler was set, false when an error occurred.
.. bro:see:: Option::set

98
doc/scripts/base/bif/pcap.bif.bro.rst Normal file
View file

@ -0,0 +1,98 @@
:tocdepth: 3
base/bif/pcap.bif.bro
=====================
.. bro:namespace:: GLOBAL
.. bro:namespace:: Pcap
:Namespaces: GLOBAL, Pcap
Summary
~~~~~~~
Functions
#########
============================================================ =============================================================
:bro:id:`Pcap::error`: :bro:type:`function` Returns a string representation of the last PCAP error.
:bro:id:`Pcap::install_pcap_filter`: :bro:type:`function` Installs a PCAP filter that has been precompiled with
:bro:id:`Pcap::precompile_pcap_filter`.
:bro:id:`Pcap::precompile_pcap_filter`: :bro:type:`function` Precompiles a PCAP filter and binds it to a given identifier.
============================================================ =============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: Pcap::error
:Type: :bro:type:`function` () : :bro:type:`string`
Returns a string representation of the last PCAP error.
:returns: A descriptive error message of the PCAP function that failed.
.. bro:see:: Pcap::precompile_pcap_filter
Pcap::install_pcap_filter
install_src_addr_filter
install_src_net_filter
uninstall_src_addr_filter
uninstall_src_net_filter
install_dst_addr_filter
install_dst_net_filter
uninstall_dst_addr_filter
uninstall_dst_net_filter
.. bro:id:: Pcap::install_pcap_filter
:Type: :bro:type:`function` (id: :bro:type:`PcapFilterID`) : :bro:type:`bool`
Installs a PCAP filter that has been precompiled with
:bro:id:`Pcap::precompile_pcap_filter`.
:id: The PCAP filter id of a precompiled filter.
:returns: True if the filter associated with *id* has been installed
successfully.
.. bro:see:: Pcap::precompile_pcap_filter
install_src_addr_filter
install_src_net_filter
uninstall_src_addr_filter
uninstall_src_net_filter
install_dst_addr_filter
install_dst_net_filter
uninstall_dst_addr_filter
uninstall_dst_net_filter
Pcap::error
.. bro:id:: Pcap::precompile_pcap_filter
:Type: :bro:type:`function` (id: :bro:type:`PcapFilterID`, s: :bro:type:`string`) : :bro:type:`bool`
Precompiles a PCAP filter and binds it to a given identifier.
:id: The PCAP identifier to reference the filter *s* later on.
:s: The PCAP filter. See ``man tcpdump`` for valid expressions.
:returns: True if *s* is valid and precompiles successfully.
.. bro:see:: Pcap::install_pcap_filter
install_src_addr_filter
install_src_net_filter
uninstall_src_addr_filter
uninstall_src_net_filter
install_dst_addr_filter
install_dst_net_filter
uninstall_dst_addr_filter
uninstall_dst_net_filter
Pcap::error

113
doc/scripts/base/bif/plugins/Bro_ARP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,113 @@
:tocdepth: 3
base/bif/plugins/Bro_ARP.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================== ====================================================
:bro:id:`arp_reply`: :bro:type:`event` Generated for ARP replies.
:bro:id:`arp_request`: :bro:type:`event` Generated for ARP requests.
:bro:id:`bad_arp`: :bro:type:`event` Generated for ARP packets that Bro cannot interpret.
======================================== ====================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: arp_reply
:Type: :bro:type:`event` (mac_src: :bro:type:`string`, mac_dst: :bro:type:`string`, SPA: :bro:type:`addr`, SHA: :bro:type:`string`, TPA: :bro:type:`addr`, THA: :bro:type:`string`)
Generated for ARP replies.
See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
for more information about the ARP protocol.
:mac_src: The reply's source MAC address.
:mac_dst: The reply's destination MAC address.
:SPA: The sender protocol address.
:SHA: The sender hardware address.
:TPA: The target protocol address.
:THA: The target hardware address.
.. bro:see:: arp_request bad_arp
.. bro:id:: arp_request
:Type: :bro:type:`event` (mac_src: :bro:type:`string`, mac_dst: :bro:type:`string`, SPA: :bro:type:`addr`, SHA: :bro:type:`string`, TPA: :bro:type:`addr`, THA: :bro:type:`string`)
Generated for ARP requests.
See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
for more information about the ARP protocol.
:mac_src: The request's source MAC address.
:mac_dst: The request's destination MAC address.
:SPA: The sender protocol address.
:SHA: The sender hardware address.
:TPA: The target protocol address.
:THA: The target hardware address.
.. bro:see:: arp_reply bad_arp
.. bro:id:: bad_arp
:Type: :bro:type:`event` (SPA: :bro:type:`addr`, SHA: :bro:type:`string`, TPA: :bro:type:`addr`, THA: :bro:type:`string`, explanation: :bro:type:`string`)
Generated for ARP packets that Bro cannot interpret. Examples are packets
with non-standard hardware address formats or hardware addresses that do not
match the originator of the packet.
:SPA: The sender protocol address.
:SHA: The sender hardware address.
:TPA: The target protocol address.
:THA: The target hardware address.
:explanation: A short description of why the ARP packet is considered "bad".
.. bro:see:: arp_reply arp_request
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

16
doc/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
==============================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: InputAscii
:Namespaces: GLOBAL, InputAscii
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro
==============================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: LogAscii
:Namespaces: GLOBAL, LogAscii
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

99
doc/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro.rst Normal file
View file

@ -0,0 +1,99 @@
:tocdepth: 3
base/bif/plugins/Bro_BackDoor.events.bif.bro
============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================= ===========
:bro:id:`backdoor_remove_conn`: :bro:type:`event` Deprecated.
:bro:id:`backdoor_stats`: :bro:type:`event` Deprecated.
:bro:id:`ftp_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`gnutella_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`http_proxy_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`http_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`irc_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`rlogin_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`smtp_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`ssh_signature_found`: :bro:type:`event` Deprecated.
:bro:id:`telnet_signature_found`: :bro:type:`event` Deprecated.
======================================================= ===========
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: backdoor_remove_conn
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: backdoor_stats
:Type: :bro:type:`event` (c: :bro:type:`connection`, os: :bro:type:`backdoor_endp_stats`, rs: :bro:type:`backdoor_endp_stats`)
Deprecated. Will be removed.
.. bro:id:: ftp_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: gnutella_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: http_proxy_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: http_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: irc_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: rlogin_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, num_null: :bro:type:`count`, len: :bro:type:`count`)
Deprecated. Will be removed.
.. bro:id:: smtp_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: ssh_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
Deprecated. Will be removed.
.. bro:id:: telnet_signature_found
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, len: :bro:type:`count`)
Deprecated. Will be removed.

16
doc/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
======================================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: InputBenchmark
:Namespaces: GLOBAL, InputBenchmark
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_BinaryReader.binary.bif.bro
================================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: InputBinary
:Namespaces: GLOBAL, InputBinary
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

310
doc/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro.rst Normal file
View file

@ -0,0 +1,310 @@
:tocdepth: 3
base/bif/plugins/Bro_BitTorrent.events.bif.bro
==============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================================== =====
:bro:id:`bittorrent_peer_bitfield`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_cancel`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_choke`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_handshake`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_have`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_interested`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_keep_alive`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_not_interested`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_piece`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_port`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_request`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_unchoke`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_unknown`: :bro:type:`event` TODO.
:bro:id:`bittorrent_peer_weird`: :bro:type:`event` TODO.
:bro:id:`bt_tracker_request`: :bro:type:`event` TODO.
:bro:id:`bt_tracker_response`: :bro:type:`event` TODO.
:bro:id:`bt_tracker_response_not_ok`: :bro:type:`event` TODO.
:bro:id:`bt_tracker_weird`: :bro:type:`event` TODO.
=========================================================== =====
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: bittorrent_peer_bitfield
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, bitfield: :bro:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_cancel
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, index: :bro:type:`count`, begin: :bro:type:`count`, length: :bro:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bittorrent_peer_choke
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bittorrent_peer_handshake
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, reserved: :bro:type:`string`, info_hash: :bro:type:`string`, peer_id: :bro:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_have
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, piece_index: :bro:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_interested
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_keep_alive
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_not_interested
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_piece
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, index: :bro:type:`count`, begin: :bro:type:`count`, piece_length: :bro:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_port
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, listen_port: :bro:type:`port`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, index: :bro:type:`count`, begin: :bro:type:`count`, length: :bro:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_unchoke
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bittorrent_peer_unknown
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, message_id: :bro:type:`count`, data: :bro:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_weird
.. bro:id:: bittorrent_peer_weird
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown
.. bro:id:: bt_tracker_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, uri: :bro:type:`string`, headers: :bro:type:`bt_tracker_headers`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bt_tracker_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, status: :bro:type:`count`, headers: :bro:type:`bt_tracker_headers`, peers: :bro:type:`bittorrent_peer_set`, benc: :bro:type:`bittorrent_benc_dir`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bt_tracker_response_not_ok
:Type: :bro:type:`event` (c: :bro:type:`connection`, status: :bro:type:`count`, headers: :bro:type:`bt_tracker_headers`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. bro:id:: bt_tracker_weird
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird

16
doc/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_ConfigReader.config.bif.bro
================================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: InputConfig
:Namespaces: GLOBAL, InputConfig
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

64
doc/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro.rst Normal file
View file

@ -0,0 +1,64 @@
:tocdepth: 3
base/bif/plugins/Bro_ConnSize.events.bif.bro
============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================================== ===============================================================
:bro:id:`conn_bytes_threshold_crossed`: :bro:type:`event` Generated for a connection that crossed a set byte threshold.
:bro:id:`conn_packets_threshold_crossed`: :bro:type:`event` Generated for a connection that crossed a set packet threshold.
=========================================================== ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: conn_bytes_threshold_crossed
:Type: :bro:type:`event` (c: :bro:type:`connection`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`)
Generated for a connection that crossed a set byte threshold. Note that this
is a low level event that should usually be avoided for user code. Use
ConnThreshold::bytes_threshold_crossed instead.
:c: the connection
:threshold: the threshold that was set
:is_orig: true if the threshold was crossed by the originator of the connection
.. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
.. bro:id:: conn_packets_threshold_crossed
:Type: :bro:type:`event` (c: :bro:type:`connection`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`)
Generated for a connection that crossed a set packet threshold. Note that this
is a low level event that should usually be avoided for user code. Use
ConnThreshold::bytes_threshold_crossed instead.
:c: the connection
:threshold: the threshold that was set
:is_orig: true if the threshold was crossed by the originator of the connection
.. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold

103
doc/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro.rst Normal file
View file

@ -0,0 +1,103 @@
:tocdepth: 3
base/bif/plugins/Bro_ConnSize.functions.bif.bro
===============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
================================================================== ===================================================================================
:bro:id:`get_current_conn_bytes_threshold`: :bro:type:`function` Gets the current byte threshold size for a connection.
:bro:id:`get_current_conn_packets_threshold`: :bro:type:`function` Gets the current packet threshold size for a connection.
:bro:id:`set_current_conn_bytes_threshold`: :bro:type:`function` Sets the current byte threshold for connection sizes, overwriting any potential old
threshold.
:bro:id:`set_current_conn_packets_threshold`: :bro:type:`function` Sets a threshold for connection packets, overwtiting any potential old thresholds.
================================================================== ===================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: get_current_conn_bytes_threshold
:Type: :bro:type:`function` (cid: :bro:type:`conn_id`, is_orig: :bro:type:`bool`) : :bro:type:`count`
Gets the current byte threshold size for a connection.
:cid: The connection id.
:is_orig: If true, threshold of originator, otherwhise threshold of responder.
:returns: 0 if no threshold is set or the threshold in bytes
.. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_packets_threshold
.. bro:id:: get_current_conn_packets_threshold
:Type: :bro:type:`function` (cid: :bro:type:`conn_id`, is_orig: :bro:type:`bool`) : :bro:type:`count`
Gets the current packet threshold size for a connection.
:cid: The connection id.
:is_orig: If true, threshold of originator, otherwhise threshold of responder.
:returns: 0 if no threshold is set or the threshold in packets
.. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold
.. bro:id:: set_current_conn_bytes_threshold
:Type: :bro:type:`function` (cid: :bro:type:`conn_id`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`) : :bro:type:`bool`
Sets the current byte threshold for connection sizes, overwriting any potential old
threshold. Be aware that in nearly any case you will want to use the high level API
instead (ConnThreshold::set_bytes_threshold).
:cid: The connection id.
:threshold: Threshold in bytes.
:is_orig: If true, threshold is set for bytes from originator, otherwhise for bytes from responder.
.. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
.. bro:id:: set_current_conn_packets_threshold
:Type: :bro:type:`function` (cid: :bro:type:`conn_id`, threshold: :bro:type:`count`, is_orig: :bro:type:`bool`) : :bro:type:`bool`
Sets a threshold for connection packets, overwtiting any potential old thresholds.
Be aware that in nearly any case you will want to use the high level API
instead (ConnThreshold::set_packets_threshold).
:cid: The connection id.
:threshold: Threshold in packets.
:is_orig: If true, threshold is set for packets from originator, otherwhise for packets from responder.
.. bro:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold

15
doc/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Bro_DCE_RPC.consts.bif.bro
===========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

198
doc/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro.rst Normal file
View file

@ -0,0 +1,198 @@
:tocdepth: 3
base/bif/plugins/Bro_DCE_RPC.events.bif.bro
===========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================= ==============================================================================================================================
:bro:id:`dce_rpc_alter_context`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
:bro:id:`dce_rpc_alter_context_resp`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
:bro:id:`dce_rpc_bind`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
:bro:id:`dce_rpc_bind_ack`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
:bro:id:`dce_rpc_message`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
:bro:id:`dce_rpc_request`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:bro:id:`dce_rpc_response`: :bro:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
======================================================= ==============================================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: dce_rpc_alter_context
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`, ctx_id: :bro:type:`count`, uuid: :bro:type:`string`, ver_major: :bro:type:`count`, ver_minor: :bro:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
multiple times for a single RPC message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:ctx_id: The context identifier of the data representation.
:uuid: The string interpretted uuid of the endpoint being requested.
:ver_major: The major version of the endpoint being requested.
:ver_minor: The minor version of the endpoint being requested.
.. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp
.. bro:id:: dce_rpc_alter_context_resp
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
.. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context
.. bro:id:: dce_rpc_bind
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`, ctx_id: :bro:type:`count`, uuid: :bro:type:`string`, ver_major: :bro:type:`count`, ver_minor: :bro:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
multiple times for a single RPC message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:ctx_id: The context identifier of the data representation.
:uuid: The string interpretted uuid of the endpoint being requested.
:ver_major: The major version of the endpoint being requested.
:ver_minor: The minor version of the endpoint being requested.
.. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
.. bro:id:: dce_rpc_bind_ack
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`, sec_addr: :bro:type:`string`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:sec_addr: Secondary address for the ack.
.. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
.. bro:id:: dce_rpc_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, fid: :bro:type:`count`, ptype_id: :bro:type:`count`, ptype: :bro:type:`DCE_RPC::PType`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
:c: The connection.
:is_orig: True if the message was sent by the originator of the TCP connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:ptype_id: Numeric representation of the procedure type of the message.
:ptype: Enum representation of the prodecure type of the message.
.. bro:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
.. bro:id:: dce_rpc_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`, ctx_id: :bro:type:`count`, opnum: :bro:type:`count`, stub_len: :bro:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:ctx_id: The context identifier of the data representation.
:opnum: Number of the RPC operation.
:stub_len: Length of the data for the request.
.. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response
.. bro:id:: dce_rpc_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, fid: :bro:type:`count`, ctx_id: :bro:type:`count`, opnum: :bro:type:`count`, stub_len: :bro:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
:c: The connection.
:fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:ctx_id: The context identifier of the data representation.
:opnum: Number of the RPC operation.
:stub_len: Length of the data for the response.
.. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request

105
doc/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro.rst Normal file
View file

@ -0,0 +1,105 @@
:tocdepth: 3
base/bif/plugins/Bro_DCE_RPC.types.bif.bro
==========================================
.. bro:namespace:: DCE_RPC
.. bro:namespace:: GLOBAL
:Namespaces: DCE_RPC, GLOBAL
Summary
~~~~~~~
Types
#####
============================================ =
:bro:type:`DCE_RPC::IfID`: :bro:type:`enum`
:bro:type:`DCE_RPC::PType`: :bro:type:`enum`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. bro:type:: DCE_RPC::IfID
:Type: :bro:type:`enum`
.. bro:enum:: DCE_RPC::unknown_if DCE_RPC::IfID
.. bro:enum:: DCE_RPC::epmapper DCE_RPC::IfID
.. bro:enum:: DCE_RPC::lsarpc DCE_RPC::IfID
.. bro:enum:: DCE_RPC::lsa_ds DCE_RPC::IfID
.. bro:enum:: DCE_RPC::mgmt DCE_RPC::IfID
.. bro:enum:: DCE_RPC::netlogon DCE_RPC::IfID
.. bro:enum:: DCE_RPC::samr DCE_RPC::IfID
.. bro:enum:: DCE_RPC::srvsvc DCE_RPC::IfID
.. bro:enum:: DCE_RPC::spoolss DCE_RPC::IfID
.. bro:enum:: DCE_RPC::drs DCE_RPC::IfID
.. bro:enum:: DCE_RPC::winspipe DCE_RPC::IfID
.. bro:enum:: DCE_RPC::wkssvc DCE_RPC::IfID
.. bro:enum:: DCE_RPC::oxid DCE_RPC::IfID
.. bro:enum:: DCE_RPC::ISCMActivator DCE_RPC::IfID
.. bro:type:: DCE_RPC::PType
:Type: :bro:type:`enum`
.. bro:enum:: DCE_RPC::REQUEST DCE_RPC::PType
.. bro:enum:: DCE_RPC::PING DCE_RPC::PType
.. bro:enum:: DCE_RPC::RESPONSE DCE_RPC::PType
.. bro:enum:: DCE_RPC::FAULT DCE_RPC::PType
.. bro:enum:: DCE_RPC::WORKING DCE_RPC::PType
.. bro:enum:: DCE_RPC::NOCALL DCE_RPC::PType
.. bro:enum:: DCE_RPC::REJECT DCE_RPC::PType
.. bro:enum:: DCE_RPC::ACK DCE_RPC::PType
.. bro:enum:: DCE_RPC::CL_CANCEL DCE_RPC::PType
.. bro:enum:: DCE_RPC::FACK DCE_RPC::PType
.. bro:enum:: DCE_RPC::CANCEL_ACK DCE_RPC::PType
.. bro:enum:: DCE_RPC::BIND DCE_RPC::PType
.. bro:enum:: DCE_RPC::BIND_ACK DCE_RPC::PType
.. bro:enum:: DCE_RPC::BIND_NAK DCE_RPC::PType
.. bro:enum:: DCE_RPC::ALTER_CONTEXT DCE_RPC::PType
.. bro:enum:: DCE_RPC::ALTER_CONTEXT_RESP DCE_RPC::PType
.. bro:enum:: DCE_RPC::AUTH3 DCE_RPC::PType
.. bro:enum:: DCE_RPC::SHUTDOWN DCE_RPC::PType
.. bro:enum:: DCE_RPC::CO_CANCEL DCE_RPC::PType
.. bro:enum:: DCE_RPC::ORPHANED DCE_RPC::PType
.. bro:enum:: DCE_RPC::RTS DCE_RPC::PType

43
doc/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/bif/plugins/Bro_DHCP.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================= ================================
:bro:id:`dhcp_message`: :bro:type:`event` Generated for all DHCP messages.
========================================= ================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: dhcp_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`DHCP::Msg`, options: :bro:type:`DHCP::Options`)
Generated for all DHCP messages.
:c: The connection record describing the underlying UDP flow.
:is_orig: Indicate if the message came in a packet from the
originator/client of the udp flow or the responder/server.
:msg: The parsed type-independent part of the DHCP message. The message
type is indicated in this record.
:options: The full set of supported and parsed DHCP options.

16
doc/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_DHCP.types.bif.bro
=======================================
.. bro:namespace:: DHCP
.. bro:namespace:: GLOBAL
:Namespaces: DHCP, GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

567
doc/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro.rst Normal file
View file

@ -0,0 +1,567 @@
:tocdepth: 3
base/bif/plugins/Bro_DNP3.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================================== ===========================================================================
:bro:id:`dnp3_analog_input_16wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 2
analog input 16 bit with flag
:bro:id:`dnp3_analog_input_16woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 4
analog input 16 bit without flag
:bro:id:`dnp3_analog_input_32wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 1
analog input 32 bit with flag
:bro:id:`dnp3_analog_input_32woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 3
analog input 32 bit without flag
:bro:id:`dnp3_analog_input_DPwFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 6
analog input double precision, float point with flag
:bro:id:`dnp3_analog_input_SPwFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 30 and variation number 5
analog input single precision, float point with flag
:bro:id:`dnp3_analog_input_event_16wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 4
analog input event 16 bit with time
:bro:id:`dnp3_analog_input_event_16woTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 2
analog input event 16 bit without time
:bro:id:`dnp3_analog_input_event_32wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 3
analog input event 32 bit with time
:bro:id:`dnp3_analog_input_event_32woTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 1
analog input event 32 bit without time
:bro:id:`dnp3_analog_input_event_DPwTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 8
analog input event double-precisiion float point with time
:bro:id:`dnp3_analog_input_event_DPwoTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 6
analog input event double-precision float point without time
:bro:id:`dnp3_analog_input_event_SPwTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 7
analog input event single-precision float point with time
:bro:id:`dnp3_analog_input_event_SPwoTime`: :bro:type:`event` Generated for DNP3 objects with the group number 32 and variation number 5
analog input event single-precision float point without time
:bro:id:`dnp3_application_request_header`: :bro:type:`event` Generated for a DNP3 request header.
:bro:id:`dnp3_application_response_header`: :bro:type:`event` Generated for a DNP3 response header.
:bro:id:`dnp3_attribute_common`: :bro:type:`event` Generated for DNP3 attributes.
:bro:id:`dnp3_counter_16wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 20 and variation number 2
counter 16 bit with flag
:bro:id:`dnp3_counter_16woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 20 and variation number 6
counter 16 bit without flag
:bro:id:`dnp3_counter_32wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 20 and variation number 1
counter 32 bit with flag
:bro:id:`dnp3_counter_32woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 20 and variation number 5
counter 32 bit without flag
:bro:id:`dnp3_crob`: :bro:type:`event` Generated for DNP3 objects with the group number 12 and variation number 1
CROB: control relay output block
:bro:id:`dnp3_debug_byte`: :bro:type:`event` Debugging event generated by the DNP3 analyzer.
:bro:id:`dnp3_file_transport`: :bro:type:`event` g70
:bro:id:`dnp3_frozen_analog_input_16wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 2
frozen analog input 16 bit with flag
:bro:id:`dnp3_frozen_analog_input_16wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 4
frozen analog input 16 bit with time-of-freeze
:bro:id:`dnp3_frozen_analog_input_16woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 6
frozen analog input 16 bit without flag
:bro:id:`dnp3_frozen_analog_input_32wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 1
frozen analog input 32 bit with flag
:bro:id:`dnp3_frozen_analog_input_32wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 3
frozen analog input 32 bit with time-of-freeze
:bro:id:`dnp3_frozen_analog_input_32woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 5
frozen analog input 32 bit without flag
:bro:id:`dnp3_frozen_analog_input_DPwFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 8
frozen analog input double-precision, float point with flag
:bro:id:`dnp3_frozen_analog_input_SPwFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 31 and variation number 7
frozen analog input single-precision, float point with flag
:bro:id:`dnp3_frozen_analog_input_event_16wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 4
frozen analog input event 16 bit with time
:bro:id:`dnp3_frozen_analog_input_event_16woTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 2
frozen analog input event 16 bit without time
:bro:id:`dnp3_frozen_analog_input_event_32wTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 3
frozen analog input event 32 bit with time
:bro:id:`dnp3_frozen_analog_input_event_32woTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 1
frozen analog input event 32 bit without time
:bro:id:`dnp3_frozen_analog_input_event_DPwTime`: :bro:type:`event` Generated for DNP3 objects with the group number 34 and variation number 8
frozen analog input event double-precision float point with time
:bro:id:`dnp3_frozen_analog_input_event_DPwoTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 6
frozen analog input event double-precision float point without time
:bro:id:`dnp3_frozen_analog_input_event_SPwTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 7
frozen analog input event single-precision float point with time
:bro:id:`dnp3_frozen_analog_input_event_SPwoTime`: :bro:type:`event` Generated for DNP3 objects with the group number 33 and variation number 5
frozen analog input event single-precision float point without time
:bro:id:`dnp3_frozen_counter_16wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 2
frozen counter 16 bit with flag
:bro:id:`dnp3_frozen_counter_16wFlagTime`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 6
frozen counter 16 bit with flag and time
:bro:id:`dnp3_frozen_counter_16woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 10
frozen counter 16 bit without flag
:bro:id:`dnp3_frozen_counter_32wFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 1
frozen counter 32 bit with flag
:bro:id:`dnp3_frozen_counter_32wFlagTime`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 5
frozen counter 32 bit with flag and time
:bro:id:`dnp3_frozen_counter_32woFlag`: :bro:type:`event` Generated for DNP3 objects with the group number 21 and variation number 9
frozen counter 32 bit without flag
:bro:id:`dnp3_header_block`: :bro:type:`event` Generated for an additional header that the DNP3 analyzer passes to the
script-level.
:bro:id:`dnp3_object_header`: :bro:type:`event` Generated for the object header found in both DNP3 requests and responses.
:bro:id:`dnp3_object_prefix`: :bro:type:`event` Generated for the prefix before a DNP3 object.
:bro:id:`dnp3_pcb`: :bro:type:`event` Generated for DNP3 objects with the group number 12 and variation number 2
PCB: Pattern Control Block
:bro:id:`dnp3_response_data_object`: :bro:type:`event` Generated for a DNP3 "Response_Data_Object".
==================================================================== ===========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: dnp3_analog_input_16wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 2
analog input 16 bit with flag
.. bro:id:: dnp3_analog_input_16woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 4
analog input 16 bit without flag
.. bro:id:: dnp3_analog_input_32wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 1
analog input 32 bit with flag
.. bro:id:: dnp3_analog_input_32woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 3
analog input 32 bit without flag
.. bro:id:: dnp3_analog_input_DPwFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value_low: :bro:type:`count`, value_high: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 6
analog input double precision, float point with flag
.. bro:id:: dnp3_analog_input_SPwFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 5
analog input single precision, float point with flag
.. bro:id:: dnp3_analog_input_event_16wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 4
analog input event 16 bit with time
.. bro:id:: dnp3_analog_input_event_16woTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 2
analog input event 16 bit without time
.. bro:id:: dnp3_analog_input_event_32wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 3
analog input event 32 bit with time
.. bro:id:: dnp3_analog_input_event_32woTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 1
analog input event 32 bit without time
.. bro:id:: dnp3_analog_input_event_DPwTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value_low: :bro:type:`count`, value_high: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 8
analog input event double-precisiion float point with time
.. bro:id:: dnp3_analog_input_event_DPwoTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value_low: :bro:type:`count`, value_high: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 6
analog input event double-precision float point without time
.. bro:id:: dnp3_analog_input_event_SPwTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 7
analog input event single-precision float point with time
.. bro:id:: dnp3_analog_input_event_SPwoTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, value: :bro:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 5
analog input event single-precision float point without time
.. bro:id:: dnp3_application_request_header
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, application: :bro:type:`count`, fc: :bro:type:`count`)
Generated for a DNP3 request header.
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:fc: function code.
.. bro:id:: dnp3_application_response_header
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, application: :bro:type:`count`, fc: :bro:type:`count`, iin: :bro:type:`count`)
Generated for a DNP3 response header.
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:fc: function code.
:iin: internal indication number.
.. bro:id:: dnp3_attribute_common
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, data_type_code: :bro:type:`count`, leng: :bro:type:`count`, attribute_obj: :bro:type:`string`)
Generated for DNP3 attributes.
.. bro:id:: dnp3_counter_16wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 2
counter 16 bit with flag
.. bro:id:: dnp3_counter_16woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 6
counter 16 bit without flag
.. bro:id:: dnp3_counter_32wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 1
counter 32 bit with flag
.. bro:id:: dnp3_counter_32woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 5
counter 32 bit without flag
.. bro:id:: dnp3_crob
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, control_code: :bro:type:`count`, count8: :bro:type:`count`, on_time: :bro:type:`count`, off_time: :bro:type:`count`, status_code: :bro:type:`count`)
Generated for DNP3 objects with the group number 12 and variation number 1
:CROB: control relay output block
.. bro:id:: dnp3_debug_byte
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, debug: :bro:type:`string`)
Debugging event generated by the DNP3 analyzer. The "Debug_Byte" binpac unit
generates this for unknown "cases". The user can use it to debug the byte
string to check what caused the malformed network packets.
.. bro:id:: dnp3_file_transport
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, file_handle: :bro:type:`count`, block_num: :bro:type:`count`, file_data: :bro:type:`string`)
g70
.. bro:id:: dnp3_frozen_analog_input_16wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 2
frozen analog input 16 bit with flag
.. bro:id:: dnp3_frozen_analog_input_16wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 4
frozen analog input 16 bit with time-of-freeze
.. bro:id:: dnp3_frozen_analog_input_16woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 6
frozen analog input 16 bit without flag
.. bro:id:: dnp3_frozen_analog_input_32wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 1
frozen analog input 32 bit with flag
.. bro:id:: dnp3_frozen_analog_input_32wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 3
frozen analog input 32 bit with time-of-freeze
.. bro:id:: dnp3_frozen_analog_input_32woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 5
frozen analog input 32 bit without flag
.. bro:id:: dnp3_frozen_analog_input_DPwFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value_low: :bro:type:`count`, frozen_value_high: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 8
frozen analog input double-precision, float point with flag
.. bro:id:: dnp3_frozen_analog_input_SPwFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 7
frozen analog input single-precision, float point with flag
.. bro:id:: dnp3_frozen_analog_input_event_16wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 4
frozen analog input event 16 bit with time
.. bro:id:: dnp3_frozen_analog_input_event_16woTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 2
frozen analog input event 16 bit without time
.. bro:id:: dnp3_frozen_analog_input_event_32wTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 3
frozen analog input event 32 bit with time
.. bro:id:: dnp3_frozen_analog_input_event_32woTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 1
frozen analog input event 32 bit without time
.. bro:id:: dnp3_frozen_analog_input_event_DPwTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value_low: :bro:type:`count`, frozen_value_high: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 34 and variation number 8
frozen analog input event double-precision float point with time
.. bro:id:: dnp3_frozen_analog_input_event_DPwoTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value_low: :bro:type:`count`, frozen_value_high: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 6
frozen analog input event double-precision float point without time
.. bro:id:: dnp3_frozen_analog_input_event_SPwTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 7
frozen analog input event single-precision float point with time
.. bro:id:: dnp3_frozen_analog_input_event_SPwoTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, frozen_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 5
frozen analog input event single-precision float point without time
.. bro:id:: dnp3_frozen_counter_16wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 2
frozen counter 16 bit with flag
.. bro:id:: dnp3_frozen_counter_16wFlagTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 6
frozen counter 16 bit with flag and time
.. bro:id:: dnp3_frozen_counter_16woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 10
frozen counter 16 bit without flag
.. bro:id:: dnp3_frozen_counter_32wFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 1
frozen counter 32 bit with flag
.. bro:id:: dnp3_frozen_counter_32wFlagTime
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, flag: :bro:type:`count`, count_value: :bro:type:`count`, time48: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 5
frozen counter 32 bit with flag and time
.. bro:id:: dnp3_frozen_counter_32woFlag
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, count_value: :bro:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 9
frozen counter 32 bit without flag
.. bro:id:: dnp3_header_block
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, len: :bro:type:`count`, ctrl: :bro:type:`count`, dest_addr: :bro:type:`count`, src_addr: :bro:type:`count`)
Generated for an additional header that the DNP3 analyzer passes to the
script-level. This header mimics the DNP3 transport-layer yet is only passed
once for each sequence of DNP3 records (which are otherwise reassembled and
treated as a single entity).
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:len: the "length" field in the DNP3 Pseudo Link Layer.
:ctrl: the "control" field in the DNP3 Pseudo Link Layer.
:dest_addr: the "destination" field in the DNP3 Pseudo Link Layer.
:src_addr: the "source" field in the DNP3 Pseudo Link Layer.
.. bro:id:: dnp3_object_header
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, obj_type: :bro:type:`count`, qua_field: :bro:type:`count`, number: :bro:type:`count`, rf_low: :bro:type:`count`, rf_high: :bro:type:`count`)
Generated for the object header found in both DNP3 requests and responses.
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:obj_type: type of object, which is classified based on an 8-bit group number
and an 8-bit variation number.
:qua_field: qualifier field.
:number: TODO.
:rf_low: the structure of the range field depends on the qualified field.
In some cases, the range field contains only one logic part, e.g.,
number of objects, so only *rf_low* contains useful values.
:rf_high: in some cases, the range field contains two logic parts, e.g., start
index and stop index, so *rf_low* contains the start index
while *rf_high* contains the stop index.
.. bro:id:: dnp3_object_prefix
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, prefix_value: :bro:type:`count`)
Generated for the prefix before a DNP3 object. The structure and the meaning
of the prefix are defined by the qualifier field.
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:prefix_value: The prefix.
.. bro:id:: dnp3_pcb
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, control_code: :bro:type:`count`, count8: :bro:type:`count`, on_time: :bro:type:`count`, off_time: :bro:type:`count`, status_code: :bro:type:`count`)
Generated for DNP3 objects with the group number 12 and variation number 2
:PCB: Pattern Control Block
.. bro:id:: dnp3_response_data_object
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, data_value: :bro:type:`count`)
Generated for a DNP3 "Response_Data_Object".
The "Response_Data_Object" contains two parts: object prefix and object
data. In most cases, object data are defined by new record types. But
in a few cases, object data are directly basic types, such as int16, or
int8; thus we use an additional *data_value* to record the values of those
object data.
:c: The connection the DNP3 communication is part of.
:is_orig: True if this reflects originator-side activity.
:data_value: The value for those objects that carry their information here
directly.

838
doc/scripts/base/bif/plugins/Bro_DNS.events.bif.bro.rst Normal file
View file

@ -0,0 +1,838 @@
:tocdepth: 3
base/bif/plugins/Bro_DNS.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================== ================================================================================
:bro:id:`dns_A6_reply`: :bro:type:`event` Generated for DNS replies of type *A6*.
:bro:id:`dns_AAAA_reply`: :bro:type:`event` Generated for DNS replies of type *AAAA*.
:bro:id:`dns_A_reply`: :bro:type:`event` Generated for DNS replies of type *A*.
:bro:id:`dns_CAA_reply`: :bro:type:`event` Generated for DNS replies of type *CAA* (Certification Authority Authorization).
:bro:id:`dns_CNAME_reply`: :bro:type:`event` Generated for DNS replies of type *CNAME*.
:bro:id:`dns_DNSKEY`: :bro:type:`event` Generated for DNS replies of type *DNSKEY*.
:bro:id:`dns_DS`: :bro:type:`event` Generated for DNS replies of type *DS*.
:bro:id:`dns_EDNS_addl`: :bro:type:`event` Generated for DNS replies of type *EDNS*.
:bro:id:`dns_HINFO_reply`: :bro:type:`event` Generated for DNS replies of type *HINFO*.
:bro:id:`dns_MX_reply`: :bro:type:`event` Generated for DNS replies of type *MX*.
:bro:id:`dns_NSEC`: :bro:type:`event` Generated for DNS replies of type *NSEC*.
:bro:id:`dns_NSEC3`: :bro:type:`event` Generated for DNS replies of type *NSEC3*.
:bro:id:`dns_NS_reply`: :bro:type:`event` Generated for DNS replies of type *NS*.
:bro:id:`dns_PTR_reply`: :bro:type:`event` Generated for DNS replies of type *PTR*.
:bro:id:`dns_RRSIG`: :bro:type:`event` Generated for DNS replies of type *RRSIG*.
:bro:id:`dns_SOA_reply`: :bro:type:`event` Generated for DNS replies of type *CNAME*.
:bro:id:`dns_SRV_reply`: :bro:type:`event` Generated for DNS replies of type *SRV*.
:bro:id:`dns_TSIG_addl`: :bro:type:`event` Generated for DNS replies of type *TSIG*.
:bro:id:`dns_TXT_reply`: :bro:type:`event` Generated for DNS replies of type *TXT*.
:bro:id:`dns_WKS_reply`: :bro:type:`event` Generated for DNS replies of type *WKS*.
:bro:id:`dns_end`: :bro:type:`event` Generated at the end of processing a DNS packet.
:bro:id:`dns_full_request`: :bro:type:`event` Deprecated.
:bro:id:`dns_message`: :bro:type:`event` Generated for all DNS messages.
:bro:id:`dns_query_reply`: :bro:type:`event` Generated for each entry in the Question section of a DNS reply.
:bro:id:`dns_rejected`: :bro:type:`event` Generated for DNS replies that reject a query.
:bro:id:`dns_request`: :bro:type:`event` Generated for DNS requests.
:bro:id:`dns_unknown_reply`: :bro:type:`event` Generated on DNS reply resource records when the type of record is not one
that Bro knows how to parse and generate another more specific event.
:bro:id:`non_dns_request`: :bro:type:`event` msg: The raw DNS payload.
============================================== ================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: dns_A6_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, a: :bro:type:`addr`)
Generated for DNS replies of type *A6*. For replies with multiple answers, an
individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:a: The address returned by the reply.
.. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_AAAA_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, a: :bro:type:`addr`)
Generated for DNS replies of type *AAAA*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:a: The address returned by the reply.
.. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_A_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, a: :bro:type:`addr`)
Generated for DNS replies of type *A*. For replies with multiple answers, an
individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:a: The address returned by the reply.
.. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_CAA_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, flags: :bro:type:`count`, tag: :bro:type:`string`, value: :bro:type:`string`)
Generated for DNS replies of type *CAA* (Certification Authority Authorization).
For replies with multiple answers, an individual event of the corresponding type
is raised for each.
See `RFC 6844 <https://tools.ietf.org/html/rfc6844>`__ for more details.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:flags: The flags byte of the CAA reply.
:tag: The property identifier of the CAA reply.
:value: The property value of the CAA reply.
.. bro:id:: dns_CNAME_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`)
Generated for DNS replies of type *CNAME*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:name: The name returned by the reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_DNSKEY
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, dnskey: :bro:type:`dns_dnskey_rr`)
Generated for DNS replies of type *DNSKEY*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:dnskey: The parsed DNSKEY record.
.. bro:id:: dns_DS
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, ds: :bro:type:`dns_ds_rr`)
Generated for DNS replies of type *DS*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:ds: The parsed RDATA of DS record.
.. bro:id:: dns_EDNS_addl
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_edns_additional`)
Generated for DNS replies of type *EDNS*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The parsed EDNS reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_HINFO_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`)
Generated for DNS replies of type *HINFO*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_MX_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`, preference: :bro:type:`count`)
Generated for DNS replies of type *MX*. For replies with multiple answers, an
individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:name: The name returned by the reply.
:preference: The preference for *name* specified by the reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_NSEC
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, next_name: :bro:type:`string`, bitmaps: :bro:type:`string_vec`)
Generated for DNS replies of type *NSEC*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:next_name: The parsed next secure domain name.
:bitmaps: vector of strings in hex for the bit maps present.
.. bro:id:: dns_NSEC3
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, nsec3: :bro:type:`dns_nsec3_rr`)
Generated for DNS replies of type *NSEC3*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:nsec3: The parsed RDATA of Nsec3 record.
.. bro:id:: dns_NS_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`)
Generated for DNS replies of type *NS*. For replies with multiple answers, an
individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:name: The name returned by the reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_PTR_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`)
Generated for DNS replies of type *PTR*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:name: The name returned by the reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_RRSIG
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, rrsig: :bro:type:`dns_rrsig_rr`)
Generated for DNS replies of type *RRSIG*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:rrsig: The parsed RRSIG record.
.. bro:id:: dns_SOA_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, soa: :bro:type:`dns_soa`)
Generated for DNS replies of type *CNAME*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:soa: The parsed SOA value.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_SRV_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, target: :bro:type:`string`, priority: :bro:type:`count`, weight: :bro:type:`count`, p: :bro:type:`count`)
Generated for DNS replies of type *SRV*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:target: Target of the SRV response -- the canonical hostname of the
machine providing the service, ending in a dot.
:priority: Priority of the SRV response -- the priority of the target
host, lower value means more preferred.
:weight: Weight of the SRV response -- a relative weight for records
with the same priority, higher value means more preferred.
:p: Port of the SRV response -- the TCP or UDP port on which the
service is to be found.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_TSIG_addl
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_tsig_additional`)
Generated for DNS replies of type *TSIG*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The parsed TSIG reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_TXT_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, strs: :bro:type:`string_vec`)
Generated for DNS replies of type *TXT*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
:strs: The textual information returned by the reply.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_WKS_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`)
Generated for DNS replies of type *WKS*. For replies with multiple answers,
an individual event of the corresponding type is raised for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_end
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`)
Generated at the end of processing a DNS packet. This event is the last
``dns_*`` event that will be raised for a DNS query/reply and signals that
all resource records have been passed on.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_full_request
:Type: :bro:type:`event` ()
Deprecated. Will be removed.
.. todo:: Unclear what this event is for; it's never raised. We should just
remove it.
.. bro:id:: dns_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`dns_msg`, len: :bro:type:`count`)
Generated for all DNS messages.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:is_orig: True if the message was sent by the originator of the connection.
:msg: The parsed DNS message header.
:len: The length of the message's raw representation (i.e., the DNS payload).
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected
dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_query_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, query: :bro:type:`string`, qtype: :bro:type:`count`, qclass: :bro:type:`count`)
Generated for each entry in the Question section of a DNS reply.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:query: The queried name.
:qtype: The queried resource record type.
:qclass: The queried resource record class.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_rejected
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, query: :bro:type:`string`, qtype: :bro:type:`count`, qclass: :bro:type:`count`)
Generated for DNS replies that reject a query. This event is raised if a DNS
reply indicates failure because it does not pass on any
answers to a query. Note that all of the event's parameters are parsed out of
the reply; there's no stateful correlation with the query.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:query: The queried name.
:qtype: The queried resource record type.
:qclass: The queried resource record class.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, query: :bro:type:`string`, qtype: :bro:type:`count`, qclass: :bro:type:`count`)
Generated for DNS requests. For requests with multiple queries, this event
is raised once for each.
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
sessions.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:query: The queried name.
:qtype: The queried resource record type.
:qclass: The queried resource record class.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
.. bro:id:: dns_unknown_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`)
Generated on DNS reply resource records when the type of record is not one
that Bro knows how to parse and generate another more specific event.
:c: The connection, which may be UDP or TCP depending on the type of the
transport-layer session being analyzed.
:msg: The parsed DNS message header.
:ans: The type-independent part of the parsed answer record.
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_SRV_reply dns_end
.. bro:id:: non_dns_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`string`)
:msg: The raw DNS payload.
.. note:: This event is deprecated and superseded by Bro's dynamic protocol
detection framework.

72
doc/scripts/base/bif/plugins/Bro_FTP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,72 @@
:tocdepth: 3
base/bif/plugins/Bro_FTP.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================== =======================================
:bro:id:`ftp_reply`: :bro:type:`event` Generated for server-side FTP replies.
:bro:id:`ftp_request`: :bro:type:`event` Generated for client-side FTP commands.
======================================== =======================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: ftp_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, code: :bro:type:`count`, msg: :bro:type:`string`, cont_resp: :bro:type:`bool`)
Generated for server-side FTP replies.
See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
more information about the FTP protocol.
:c: The connection.
:code: The numerical response code the server responded with.
:msg: The textual message of the response.
:cont_resp: True if the reply line is tagged as being continued to the next
line. If so, further events will be raised and a handler may want
to reassemble the pieces before processing the response any
further.
.. bro:see:: ftp_request fmt_ftp_port parse_eftp_port
parse_ftp_epsv parse_ftp_pasv parse_ftp_port
.. bro:id:: ftp_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, command: :bro:type:`string`, arg: :bro:type:`string`)
Generated for client-side FTP commands.
See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
more information about the FTP protocol.
:c: The connection.
:command: The FTP command issued by the client (without any arguments).
:arg: The arguments going with the command.
.. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port
parse_ftp_epsv parse_ftp_pasv parse_ftp_port

110
doc/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro.rst Normal file
View file

@ -0,0 +1,110 @@
:tocdepth: 3
base/bif/plugins/Bro_FTP.functions.bif.bro
==========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
=============================================== ==========================================================================
:bro:id:`fmt_ftp_port`: :bro:type:`function` Formats an IP address and TCP port as an FTP PORT command.
:bro:id:`parse_eftp_port`: :bro:type:`function` Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
to an :bro:type:`ftp_port`.
:bro:id:`parse_ftp_epsv`: :bro:type:`function` Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
:bro:type:`ftp_port`.
:bro:id:`parse_ftp_pasv`: :bro:type:`function` Converts the result of the FTP PASV command to an :bro:type:`ftp_port`.
:bro:id:`parse_ftp_port`: :bro:type:`function` Converts a string representation of the FTP PORT command to an
:bro:type:`ftp_port`.
=============================================== ==========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: fmt_ftp_port
:Type: :bro:type:`function` (a: :bro:type:`addr`, p: :bro:type:`port`) : :bro:type:`string`
Formats an IP address and TCP port as an FTP PORT command. For example,
``10.0.0.1`` and ``1055/tcp`` yields ``"10,0,0,1,4,31"``.
:a: The IP address.
:p: The TCP port.
:returns: The FTP PORT string.
.. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv
.. bro:id:: parse_eftp_port
:Type: :bro:type:`function` (s: :bro:type:`string`) : :bro:type:`ftp_port`
Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
to an :bro:type:`ftp_port`. The format is
``"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"``,
where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
:s: The string of the FTP EPRT command, e.g., ``"|1|10.0.0.1|1055|"``.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. bro:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
.. bro:id:: parse_ftp_epsv
:Type: :bro:type:`function` (str: :bro:type:`string`) : :bro:type:`ftp_port`
Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
:bro:type:`ftp_port`. The format is ``"<text> (<d><d><d><tcp-port><d>)"``,
where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
:str: The string containing the result of the FTP EPSV command.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port
.. bro:id:: parse_ftp_pasv
:Type: :bro:type:`function` (str: :bro:type:`string`) : :bro:type:`ftp_port`
Converts the result of the FTP PASV command to an :bro:type:`ftp_port`.
:str: The string containing the result of the FTP PASV command.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port
.. bro:id:: parse_ftp_port
:Type: :bro:type:`function` (s: :bro:type:`string`) : :bro:type:`ftp_port`
Converts a string representation of the FTP PORT command to an
:bro:type:`ftp_port`.
:s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. bro:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port

44
doc/scripts/base/bif/plugins/Bro_File.events.bif.bro.rst Normal file
View file

@ -0,0 +1,44 @@
:tocdepth: 3
base/bif/plugins/Bro_File.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================= ========================================================================
:bro:id:`file_transferred`: :bro:type:`event` Generated when a TCP connection associated w/ file data transfer is seen
(e.g.
============================================= ========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: file_transferred
:Type: :bro:type:`event` (c: :bro:type:`connection`, prefix: :bro:type:`string`, descr: :bro:type:`string`, mime_type: :bro:type:`string`)
Generated when a TCP connection associated w/ file data transfer is seen
(e.g. as happens w/ FTP or IRC).
:c: The connection over which file data is transferred.
:prefix: Up to 1024 bytes of the file data.
:descr: Deprecated/unused argument.
:mime_type: MIME type of the file or "<unknown>" if no file magic signatures
matched.

38
doc/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro.rst Normal file
View file

@ -0,0 +1,38 @@
:tocdepth: 3
base/bif/plugins/Bro_FileEntropy.events.bif.bro
===============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================= ========================================================
:bro:id:`file_entropy`: :bro:type:`event` This event is generated each time file analysis performs
entropy testing on a file.
========================================= ========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: file_entropy
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, ent: :bro:type:`entropy_test_result`)
This event is generated each time file analysis performs
entropy testing on a file.
:f: The file.
:ent: The results of the entropy testing.

50
doc/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro.rst Normal file
View file

@ -0,0 +1,50 @@
:tocdepth: 3
base/bif/plugins/Bro_FileExtract.events.bif.bro
===============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================== ================================================================
:bro:id:`file_extraction_limit`: :bro:type:`event` This event is generated when a file extraction analyzer is about
to exceed the maximum permitted file size allowed by the
*extract_limit* field of :bro:see:`Files::AnalyzerArgs`.
================================================== ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: file_extraction_limit
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, args: :bro:type:`Files::AnalyzerArgs`, limit: :bro:type:`count`, len: :bro:type:`count`)
This event is generated when a file extraction analyzer is about
to exceed the maximum permitted file size allowed by the
*extract_limit* field of :bro:see:`Files::AnalyzerArgs`.
The analyzer is automatically removed from file *f*.
:f: The file.
:args: Arguments that identify a particular file extraction analyzer.
This is only provided to be able to pass along to
:bro:see:`FileExtract::set_limit`.
:limit: The limit, in bytes, the extracted file is about to breach.
:len: The length of the file chunk about to be written.
.. bro:see:: Files::add_analyzer Files::ANALYZER_EXTRACT

31
doc/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro.rst Normal file
View file

@ -0,0 +1,31 @@
:tocdepth: 3
base/bif/plugins/Bro_FileExtract.functions.bif.bro
==================================================
.. bro:namespace:: FileExtract
.. bro:namespace:: GLOBAL
Internal functions used by the extraction file analyzer.
:Namespaces: FileExtract, GLOBAL
Summary
~~~~~~~
Functions
#########
======================================================== ==================================
:bro:id:`FileExtract::__set_limit`: :bro:type:`function` :bro:see:`FileExtract::set_limit`.
======================================================== ==================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: FileExtract::__set_limit
:Type: :bro:type:`function` (file_id: :bro:type:`string`, args: :bro:type:`any`, n: :bro:type:`count`) : :bro:type:`bool`
:bro:see:`FileExtract::set_limit`.

43
doc/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/bif/plugins/Bro_FileHash.events.bif.bro
============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================== =========================================================================
:bro:id:`file_hash`: :bro:type:`event` This event is generated each time file analysis generates a digest of the
file contents.
====================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: file_hash
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, kind: :bro:type:`string`, hash: :bro:type:`string`)
This event is generated each time file analysis generates a digest of the
file contents.
:f: The file.
:kind: The type of digest algorithm.
:hash: The result of the hashing.
.. bro:see:: Files::add_analyzer Files::ANALYZER_MD5
Files::ANALYZER_SHA1 Files::ANALYZER_SHA256

74
doc/scripts/base/bif/plugins/Bro_Finger.events.bif.bro.rst Normal file
View file

@ -0,0 +1,74 @@
:tocdepth: 3
base/bif/plugins/Bro_Finger.events.bif.bro
==========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================== ==============================
:bro:id:`finger_reply`: :bro:type:`event` Generated for Finger replies.
:bro:id:`finger_request`: :bro:type:`event` Generated for Finger requests.
=========================================== ==============================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: finger_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, reply_line: :bro:type:`string`)
Generated for Finger replies.
See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
information about the Finger protocol.
:c: The connection.
:reply_line: The reply as returned by the server
.. bro:see:: finger_request
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: finger_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, full: :bro:type:`bool`, username: :bro:type:`string`, hostname: :bro:type:`string`)
Generated for Finger requests.
See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
information about the Finger protocol.
:c: The connection.
:full: True if verbose information is requested (``/W`` switch).
:username: The request's user name.
:hostname: The request's host name.
.. bro:see:: finger_reply
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

36
doc/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro.rst Normal file
View file

@ -0,0 +1,36 @@
:tocdepth: 3
base/bif/plugins/Bro_GSSAPI.events.bif.bro
==========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================== =========================================
:bro:id:`gssapi_neg_result`: :bro:type:`event` Generated for GSSAPI negotiation results.
============================================== =========================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: gssapi_neg_result
:Type: :bro:type:`event` (c: :bro:type:`connection`, state: :bro:type:`count`)
Generated for GSSAPI negotiation results.
:c: The connection.
:state: The resulting state of the negotiation.

151
doc/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro.rst Normal file
View file

@ -0,0 +1,151 @@
:tocdepth: 3
base/bif/plugins/Bro_GTPv1.events.bif.bro
=========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================== ===========================================================
:bro:id:`gtpv1_create_pdp_ctx_request`: :bro:type:`event` Generated for GTPv1-C Create PDP Context Request messages.
:bro:id:`gtpv1_create_pdp_ctx_response`: :bro:type:`event` Generated for GTPv1-C Create PDP Context Response messages.
:bro:id:`gtpv1_delete_pdp_ctx_request`: :bro:type:`event` Generated for GTPv1-C Delete PDP Context Request messages.
:bro:id:`gtpv1_delete_pdp_ctx_response`: :bro:type:`event` Generated for GTPv1-C Delete PDP Context Response messages.
:bro:id:`gtpv1_g_pdu_packet`: :bro:type:`event` Generated for GTPv1 G-PDU packets.
:bro:id:`gtpv1_message`: :bro:type:`event` Generated for any GTP message with a GTPv1 header.
:bro:id:`gtpv1_update_pdp_ctx_request`: :bro:type:`event` Generated for GTPv1-C Update PDP Context Request messages.
:bro:id:`gtpv1_update_pdp_ctx_response`: :bro:type:`event` Generated for GTPv1-C Update PDP Context Response messages.
========================================================== ===========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: gtpv1_create_pdp_ctx_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`gtpv1_hdr`, elements: :bro:type:`gtp_create_pdp_ctx_request_elements`)
Generated for GTPv1-C Create PDP Context Request messages.
:c: The connection over which the message is sent.
:hdr: The GTPv1 header.
:elements: The set of Information Elements comprising the message.
.. bro:id:: gtpv1_create_pdp_ctx_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`gtpv1_hdr`, elements: :bro:type:`gtp_create_pdp_ctx_response_elements`)
Generated for GTPv1-C Create PDP Context Response messages.
:c: The connection over which the message is sent.
:hdr: The GTPv1 header.
:elements: The set of Information Elements comprising the message.
.. bro:id:: gtpv1_delete_pdp_ctx_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`gtpv1_hdr`, elements: :bro:type:`gtp_delete_pdp_ctx_request_elements`)
Generated for GTPv1-C Delete PDP Context Request messages.
:c: The connection over which the message is sent.
:hdr: The GTPv1 header.
:elements: The set of Information Elements comprising the message.
.. bro:id:: gtpv1_delete_pdp_ctx_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`gtpv1_hdr`, elements: :bro:type:`gtp_delete_pdp_ctx_response_elements`)
Generated for GTPv1-C Delete PDP Context Response messages.
:c: The connection over which the message is sent.
:hdr: The GTPv1 header.
:elements: The set of Information Elements comprising the message.
.. bro:id:: gtpv1_g_pdu_packet
:Type: :bro:type:`event` (outer: :bro:type:`connection`, inner_gtp: :bro:type:`gtpv1_hdr`, inner_ip: :bro:type:`pkt_hdr`)
Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload
that includes a GTP header followed by an IPv4 or IPv6 packet.
:outer: The GTP outer tunnel connection.
:inner_gtp: The GTP header.
:inner_ip: The inner IP and transport layer packet headers.
.. note:: Since this event may be raised on a per-packet basis, handling
it may become particularly expensive for real-time analysis.
.. bro:id:: gtpv1_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`gtpv1_hdr`)
Generated for any GTP message with a GTPv1 header.
:c: The connection over which the message is sent.
:hdr: The GTPv1 header.
.. bro:id:: gtpv1_update_pdp_ctx_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`gtpv1_hdr`, elements: :bro:type:`gtp_update_pdp_ctx_request_elements`)
Generated for GTPv1-C Update PDP Context Request messages.
:c: The connection over which the message is sent.
:hdr: The GTPv1 header.
:elements: The set of Information Elements comprising the message.
.. bro:id:: gtpv1_update_pdp_ctx_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`gtpv1_hdr`, elements: :bro:type:`gtp_update_pdp_ctx_response_elements`)
Generated for GTPv1-C Update PDP Context Response messages.
:c: The connection over which the message is sent.
:hdr: The GTPv1 header.
:elements: The set of Information Elements comprising the message.

131
doc/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro.rst Normal file
View file

@ -0,0 +1,131 @@
:tocdepth: 3
base/bif/plugins/Bro_Gnutella.events.bif.bro
============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================== =====
:bro:id:`gnutella_binary_msg`: :bro:type:`event` TODO.
:bro:id:`gnutella_establish`: :bro:type:`event` TODO.
:bro:id:`gnutella_http_notify`: :bro:type:`event` TODO.
:bro:id:`gnutella_not_establish`: :bro:type:`event` TODO.
:bro:id:`gnutella_partial_binary_msg`: :bro:type:`event` TODO.
:bro:id:`gnutella_text_msg`: :bro:type:`event` TODO.
======================================================== =====
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: gnutella_binary_msg
:Type: :bro:type:`event` (c: :bro:type:`connection`, orig: :bro:type:`bool`, msg_type: :bro:type:`count`, ttl: :bro:type:`count`, hops: :bro:type:`count`, msg_len: :bro:type:`count`, payload: :bro:type:`string`, payload_len: :bro:type:`count`, trunc: :bro:type:`bool`, complete: :bro:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: gnutella_establish
:Type: :bro:type:`event` (c: :bro:type:`connection`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish
gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: gnutella_http_notify
:Type: :bro:type:`event` (c: :bro:type:`connection`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: gnutella_not_establish
:Type: :bro:type:`event` (c: :bro:type:`connection`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: gnutella_partial_binary_msg
:Type: :bro:type:`event` (c: :bro:type:`connection`, orig: :bro:type:`bool`, msg: :bro:type:`string`, len: :bro:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
gnutella_not_establish gnutella_signature_found gnutella_text_msg
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: gnutella_text_msg
:Type: :bro:type:`event` (c: :bro:type:`connection`, orig: :bro:type:`bool`, headers: :bro:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

358
doc/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,358 @@
:tocdepth: 3
base/bif/plugins/Bro_HTTP.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================== ========================================================================
:bro:id:`http_all_headers`: :bro:type:`event` Generated for HTTP headers, passing on all headers of an HTTP message at
once.
:bro:id:`http_begin_entity`: :bro:type:`event` Generated when starting to parse an HTTP body entity.
:bro:id:`http_connection_upgrade`: :bro:type:`event` Generated when a HTTP session is upgraded to a different protocol (e.g.
:bro:id:`http_content_type`: :bro:type:`event` Generated for reporting an HTTP body's content type.
:bro:id:`http_end_entity`: :bro:type:`event` Generated when finishing parsing an HTTP body entity.
:bro:id:`http_entity_data`: :bro:type:`event` Generated when parsing an HTTP body entity, passing on the data.
:bro:id:`http_event`: :bro:type:`event` Generated for errors found when decoding HTTP requests or replies.
:bro:id:`http_header`: :bro:type:`event` Generated for HTTP headers.
:bro:id:`http_message_done`: :bro:type:`event` Generated once at the end of parsing an HTTP message.
:bro:id:`http_reply`: :bro:type:`event` Generated for HTTP replies.
:bro:id:`http_request`: :bro:type:`event` Generated for HTTP requests.
:bro:id:`http_stats`: :bro:type:`event` Generated at the end of an HTTP session to report statistics about it.
==================================================== ========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: http_all_headers
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, hlist: :bro:type:`mime_header_list`)
Generated for HTTP headers, passing on all headers of an HTTP message at
once. Bro supports persistent and pipelined HTTP sessions and raises
corresponding events as it parses client/server dialogues.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:c: The connection.
:is_orig: True if the header was sent by the originator of the TCP connection.
:hlist: A *table* containing all headers extracted from the current entity.
The table is indexed by the position of the header (1 for the first,
2 for the second, etc.).
.. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data
http_event http_header http_message_done http_reply http_request http_stats
http_connection_upgrade
.. note:: This event is also raised for headers found in nested body
entities.
.. bro:id:: http_begin_entity
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
Generated when starting to parse an HTTP body entity. This event is generated
at least once for each non-empty (client or server) HTTP body; and
potentially more than once if the body contains further nested MIME
entities. Bro raises this event just before it starts parsing each entity's
content.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:c: The connection.
:is_orig: True if the entity was sent by the originator of the TCP
connection.
.. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data
http_event http_header http_message_done http_reply http_request http_stats
mime_begin_entity http_connection_upgrade
.. bro:id:: http_connection_upgrade
:Type: :bro:type:`event` (c: :bro:type:`connection`, protocol: :bro:type:`string`)
Generated when a HTTP session is upgraded to a different protocol (e.g. websocket).
This event is raised when a server replies with a HTTP 101 reply. No more HTTP events
will be raised after this event.
:c: The connection.
:protocol: The protocol to which the connection is switching.
.. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_reply
http_request
.. bro:id:: http_content_type
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, ty: :bro:type:`string`, subty: :bro:type:`string`)
Generated for reporting an HTTP body's content type. This event is
generated at the end of parsing an HTTP header, passing on the MIME
type as specified by the ``Content-Type`` header. If that header is
missing, this event is still raised with a default value of ``text/plain``.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:c: The connection.
:is_orig: True if the entity was sent by the originator of the TCP
connection.
:ty: The main type.
:subty: The subtype.
.. bro:see:: http_all_headers http_begin_entity http_end_entity http_entity_data
http_event http_header http_message_done http_reply http_request http_stats
http_connection_upgrade
.. note:: This event is also raised for headers found in nested body
entities.
.. bro:id:: http_end_entity
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
Generated when finishing parsing an HTTP body entity. This event is generated
at least once for each non-empty (client or server) HTTP body; and
potentially more than once if the body contains further nested MIME
entities. Bro raises this event at the point when it has finished parsing an
entity's content.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:c: The connection.
:is_orig: True if the entity was sent by the originator of the TCP
connection.
.. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data
http_event http_header http_message_done http_reply http_request
http_stats mime_end_entity http_connection_upgrade
.. bro:id:: http_entity_data
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, length: :bro:type:`count`, data: :bro:type:`string`)
Generated when parsing an HTTP body entity, passing on the data. This event
can potentially be raised many times for each entity, each time passing a
chunk of the data of not further defined size.
A common idiom for using this event is to first *reassemble* the data
at the scripting layer by concatenating it to a successively growing
string; and only perform further content analysis once the corresponding
:bro:id:`http_end_entity` event has been raised. Note, however, that doing so
can be quite expensive for HTTP tranders. At the very least, one should
impose an upper size limit on how much data is being buffered.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:c: The connection.
:is_orig: True if the entity was sent by the originator of the TCP
connection.
:length: The length of *data*.
:data: One chunk of raw entity data.
.. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_event http_header http_message_done http_reply http_request http_stats
mime_entity_data http_entity_data_delivery_size skip_http_data
http_connection_upgrade
.. bro:id:: http_event
:Type: :bro:type:`event` (c: :bro:type:`connection`, event_type: :bro:type:`string`, detail: :bro:type:`string`)
Generated for errors found when decoding HTTP requests or replies.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:c: The connection.
:event_type: A string describing the general category of the problem found
(e.g., ``illegal format``).
:detail: Further more detailed description of the error.
.. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_header http_message_done http_reply http_request
http_stats mime_event http_connection_upgrade
.. bro:id:: http_header
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, name: :bro:type:`string`, value: :bro:type:`string`)
Generated for HTTP headers. Bro supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:c: The connection.
:is_orig: True if the header was sent by the originator of the TCP connection.
:name: The name of the header.
:value: The value of the header.
.. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_message_done http_reply http_request
http_stats http_connection_upgrade
.. note:: This event is also raised for headers found in nested body
entities.
.. bro:id:: http_message_done
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, stat: :bro:type:`http_message_stat`)
Generated once at the end of parsing an HTTP message. Bro supports persistent
and pipelined HTTP sessions and raises corresponding events as it parses
client/server dialogues. A "message" is one top-level HTTP entity, such as a
complete request or reply. Each message can have further nested sub-entities
inside. This event is raised once all sub-entities belonging to a top-level
message have been processed (and their corresponding ``http_entity_*`` events
generated).
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:c: The connection.
:is_orig: True if the entity was sent by the originator of the TCP
connection.
:stat: Further meta information about the message.
.. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_reply http_request http_stats
http_connection_upgrade
.. bro:id:: http_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, version: :bro:type:`string`, code: :bro:type:`count`, reason: :bro:type:`string`)
Generated for HTTP replies. Bro supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues. This event is generated as soon as a reply's initial line has
been parsed, and before any :bro:id:`http_header` events are raised.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:c: The connection.
:version: The version number specified in the reply (e.g., ``1.1``).
:code: The numerical response code returned by the server.
:reason: The textual description returned by the server along with *code*.
.. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_request
http_stats http_connection_upgrade
.. bro:id:: http_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, method: :bro:type:`string`, original_URI: :bro:type:`string`, unescaped_URI: :bro:type:`string`, version: :bro:type:`string`)
Generated for HTTP requests. Bro supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues. This event is generated as soon as a request's initial line has
been parsed, and before any :bro:id:`http_header` events are raised.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:c: The connection.
:method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``).
:original_URI: The unprocessed URI as specified in the request.
:unescaped_URI: The URI with all percent-encodings decoded.
:version: The version number specified in the request (e.g., ``1.1``).
.. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_reply http_stats
truncate_http_URI http_connection_upgrade
.. bro:id:: http_stats
:Type: :bro:type:`event` (c: :bro:type:`connection`, stats: :bro:type:`http_stats_rec`)
Generated at the end of an HTTP session to report statistics about it. This
event is raised after all of an HTTP session's requests and replies have been
fully processed.
:c: The connection.
:stats: Statistics summarizing HTTP-level properties of the finished
connection.
.. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_reply
http_request http_connection_upgrade

58
doc/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro.rst Normal file
View file

@ -0,0 +1,58 @@
:tocdepth: 3
base/bif/plugins/Bro_HTTP.functions.bif.bro
===========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
===================================================== ===============================================================
:bro:id:`skip_http_entity_data`: :bro:type:`function` Skips the data of the HTTP entity.
:bro:id:`unescape_URI`: :bro:type:`function` Unescapes all characters in a URI (decode every ``%xx`` group).
===================================================== ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: skip_http_entity_data
:Type: :bro:type:`function` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`) : :bro:type:`any`
Skips the data of the HTTP entity.
:c: The HTTP connection.
:is_orig: If true, the client data is skipped, and the server data otherwise.
.. bro:see:: skip_smtp_data
.. bro:id:: unescape_URI
:Type: :bro:type:`function` (URI: :bro:type:`string`) : :bro:type:`string`
Unescapes all characters in a URI (decode every ``%xx`` group).
:URI: The URI to unescape.
:returns: The unescaped URI with all ``%xx`` groups decoded.
.. note::
Unescaping reserved characters may cause loss of information.
:rfc:`2396`: A URI is always in an "escaped" form, since escaping or
unescaping a completed URI might change its semantics. Normally, the
only time escape encodings can safely be made is when the URI is
being created from its component parts.

459
doc/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,459 @@
:tocdepth: 3
base/bif/plugins/Bro_ICMP.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================== ====================================================================
:bro:id:`icmp_echo_reply`: :bro:type:`event` Generated for ICMP *echo reply* messages.
:bro:id:`icmp_echo_request`: :bro:type:`event` Generated for ICMP *echo request* messages.
:bro:id:`icmp_error_message`: :bro:type:`event` Generated for all ICMPv6 error messages that are not handled
separately with dedicated events.
:bro:id:`icmp_neighbor_advertisement`: :bro:type:`event` Generated for ICMP *neighbor advertisement* messages.
:bro:id:`icmp_neighbor_solicitation`: :bro:type:`event` Generated for ICMP *neighbor solicitation* messages.
:bro:id:`icmp_packet_too_big`: :bro:type:`event` Generated for ICMPv6 *packet too big* messages.
:bro:id:`icmp_parameter_problem`: :bro:type:`event` Generated for ICMPv6 *parameter problem* messages.
:bro:id:`icmp_redirect`: :bro:type:`event` Generated for ICMP *redirect* messages.
:bro:id:`icmp_router_advertisement`: :bro:type:`event` Generated for ICMP *router advertisement* messages.
:bro:id:`icmp_router_solicitation`: :bro:type:`event` Generated for ICMP *router solicitation* messages.
:bro:id:`icmp_sent`: :bro:type:`event` Generated for all ICMP messages that are not handled separately with
dedicated ICMP events.
:bro:id:`icmp_sent_payload`: :bro:type:`event` The same as :bro:see:`icmp_sent` except containing the ICMP payload.
:bro:id:`icmp_time_exceeded`: :bro:type:`event` Generated for ICMP *time exceeded* messages.
:bro:id:`icmp_unreachable`: :bro:type:`event` Generated for ICMP *destination unreachable* messages.
======================================================== ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: icmp_echo_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, id: :bro:type:`count`, seq: :bro:type:`count`, payload: :bro:type:`string`)
Generated for ICMP *echo reply* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:id: The *echo reply* identifier.
:seq: The *echo reply* sequence number.
:payload: The message-specific data of the packet payload, i.e., everything
after the first 8 bytes of the ICMP header.
.. bro:see:: icmp_echo_request
.. bro:id:: icmp_echo_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, id: :bro:type:`count`, seq: :bro:type:`count`, payload: :bro:type:`string`)
Generated for ICMP *echo request* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
:id: The *echo request* identifier.
:seq: The *echo request* sequence number.
:payload: The message-specific data of the packet payload, i.e., everything
after the first 8 bytes of the ICMP header.
.. bro:see:: icmp_echo_reply
.. bro:id:: icmp_error_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, code: :bro:type:`count`, context: :bro:type:`icmp_context`)
Generated for all ICMPv6 error messages that are not handled
separately with dedicated events. Bro's ICMP analyzer handles a number
of ICMP error messages directly with dedicated events. This event acts
as a fallback for those it doesn't.
See `Wikipedia
<http://en.wikipedia.org/wiki/ICMPv6>`__ for more
information about the ICMPv6 protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
:code: The ICMP code of the error message.
:context: A record with specifics of the original packet that the message
refers to.
.. bro:see:: icmp_unreachable icmp_packet_too_big
icmp_time_exceeded icmp_parameter_problem
.. bro:id:: icmp_neighbor_advertisement
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, router: :bro:type:`bool`, solicited: :bro:type:`bool`, override: :bro:type:`bool`, tgt: :bro:type:`addr`, options: :bro:type:`icmp6_nd_options`)
Generated for ICMP *neighbor advertisement* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:router: Flag indicating the sender is a router.
:solicited: Flag indicating advertisement is in response to a solicitation.
:override: Flag indicating advertisement should override existing caches.
:tgt: the Target Address in the soliciting message or the address whose
link-layer address has changed for unsolicited adverts.
:options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. bro:see:: icmp_router_solicitation icmp_router_advertisement
icmp_neighbor_solicitation icmp_redirect
.. bro:id:: icmp_neighbor_solicitation
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, tgt: :bro:type:`addr`, options: :bro:type:`icmp6_nd_options`)
Generated for ICMP *neighbor solicitation* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:tgt: The IP address of the target of the solicitation.
:options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. bro:see:: icmp_router_solicitation icmp_router_advertisement
icmp_neighbor_advertisement icmp_redirect
.. bro:id:: icmp_packet_too_big
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, code: :bro:type:`count`, context: :bro:type:`icmp_context`)
Generated for ICMPv6 *packet too big* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/ICMPv6>`__ for more
information about the ICMPv6 protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:code: The ICMP code of the *too big* message.
:context: A record with specifics of the original packet that the message
refers to. *Too big* messages should include the original IP header
from the packet that triggered them, and Bro parses that into
the *context* structure. Note that if the *too big* includes only
a partial IP header for some reason, no fields of *context* will
be filled out.
.. bro:see:: icmp_error_message icmp_unreachable
icmp_time_exceeded icmp_parameter_problem
.. bro:id:: icmp_parameter_problem
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, code: :bro:type:`count`, context: :bro:type:`icmp_context`)
Generated for ICMPv6 *parameter problem* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/ICMPv6>`__ for more
information about the ICMPv6 protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:code: The ICMP code of the *parameter problem* message.
:context: A record with specifics of the original packet that the message
refers to. *Parameter problem* messages should include the original
IP header from the packet that triggered them, and Bro parses that
into the *context* structure. Note that if the *parameter problem*
includes only a partial IP header for some reason, no fields
of *context* will be filled out.
.. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
icmp_time_exceeded
.. bro:id:: icmp_redirect
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, tgt: :bro:type:`addr`, dest: :bro:type:`addr`, options: :bro:type:`icmp6_nd_options`)
Generated for ICMP *redirect* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:tgt: The address that is supposed to be a better first hop to use for
ICMP Destination Address.
:dest: The address of the destination which is redirected to the target.
:options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. bro:see:: icmp_router_solicitation icmp_router_advertisement
icmp_neighbor_solicitation icmp_neighbor_advertisement
.. bro:id:: icmp_router_advertisement
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, cur_hop_limit: :bro:type:`count`, managed: :bro:type:`bool`, other: :bro:type:`bool`, home_agent: :bro:type:`bool`, pref: :bro:type:`count`, proxy: :bro:type:`bool`, rsv: :bro:type:`count`, router_lifetime: :bro:type:`interval`, reachable_time: :bro:type:`interval`, retrans_timer: :bro:type:`interval`, options: :bro:type:`icmp6_nd_options`)
Generated for ICMP *router advertisement* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:cur_hop_limit: The default value that should be placed in Hop Count field
for outgoing IP packets.
:managed: Managed address configuration flag, :rfc:`4861`.
:other: Other stateful configuration flag, :rfc:`4861`.
:home_agent: Mobile IPv6 home agent flag, :rfc:`3775`.
:pref: Router selection preferences, :rfc:`4191`.
:proxy: Neighbor discovery proxy flag, :rfc:`4389`.
:rsv: Remaining two reserved bits of router advertisement flags.
:router_lifetime: How long this router should be used as a default router.
:reachable_time: How long a neighbor should be considered reachable.
:retrans_timer: How long a host should wait before retransmitting.
:options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. bro:see:: icmp_router_solicitation
icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
.. bro:id:: icmp_router_solicitation
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, options: :bro:type:`icmp6_nd_options`)
Generated for ICMP *router solicitation* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. bro:see:: icmp_router_advertisement
icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
.. bro:id:: icmp_sent
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`)
Generated for all ICMP messages that are not handled separately with
dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages
directly with dedicated events. This event acts as a fallback for those it
doesn't.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
.. bro:see:: icmp_error_message icmp_sent_payload
.. bro:id:: icmp_sent_payload
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, payload: :bro:type:`string`)
The same as :bro:see:`icmp_sent` except containing the ICMP payload.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
:payload: The payload of the ICMP message.
.. bro:see:: icmp_error_message icmp_sent_payload
.. bro:id:: icmp_time_exceeded
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, code: :bro:type:`count`, context: :bro:type:`icmp_context`)
Generated for ICMP *time exceeded* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:code: The ICMP code of the *exceeded* message.
:context: A record with specifics of the original packet that the message
refers to. *Unreachable* messages should include the original IP
header from the packet that triggered them, and Bro parses that
into the *context* structure. Note that if the *exceeded* includes
only a partial IP header for some reason, no fields of *context*
will be filled out.
.. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
icmp_parameter_problem
.. bro:id:: icmp_unreachable
:Type: :bro:type:`event` (c: :bro:type:`connection`, icmp: :bro:type:`icmp_conn`, code: :bro:type:`count`, context: :bro:type:`icmp_context`)
Generated for ICMP *destination unreachable* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:c: The connection record for the corresponding ICMP flow.
:icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:code: The ICMP code of the *unreachable* message.
:context: A record with specifics of the original packet that the message
refers to. *Unreachable* messages should include the original IP
header from the packet that triggered them, and Bro parses that
into the *context* structure. Note that if the *unreachable*
includes only a partial IP header for some reason, no
fields of *context* will be filled out.
.. bro:see:: icmp_error_message icmp_packet_too_big
icmp_time_exceeded icmp_parameter_problem

49
doc/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,49 @@
:tocdepth: 3
base/bif/plugins/Bro_IMAP.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================== ==================================================================
:bro:id:`imap_capabilities`: :bro:type:`event` Generated when a server sends a capability list to the client,
after being queried using the CAPABILITY command.
:bro:id:`imap_starttls`: :bro:type:`event` Generated when a IMAP connection goes encrypted after a successful
StartTLS exchange between the client and the server.
============================================== ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: imap_capabilities
:Type: :bro:type:`event` (c: :bro:type:`connection`, capabilities: :bro:type:`string_vec`)
Generated when a server sends a capability list to the client,
after being queried using the CAPABILITY command.
:c: The connection.
:capabilities: The list of IMAP capabilities as sent by the server.
.. bro:id:: imap_starttls
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Generated when a IMAP connection goes encrypted after a successful
StartTLS exchange between the client and the server.
:c: The connection.

1098
doc/scripts/base/bif/plugins/Bro_IRC.events.bif.bro.rst Normal file
View file

File diff suppressed because it is too large Load diff

109
doc/scripts/base/bif/plugins/Bro_Ident.events.bif.bro.rst Normal file
View file

@ -0,0 +1,109 @@
:tocdepth: 3
base/bif/plugins/Bro_Ident.events.bif.bro
=========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================== ==================================
:bro:id:`ident_error`: :bro:type:`event` Generated for Ident error replies.
:bro:id:`ident_reply`: :bro:type:`event` Generated for Ident replies.
:bro:id:`ident_request`: :bro:type:`event` Generated for Ident requests.
========================================== ==================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: ident_error
:Type: :bro:type:`event` (c: :bro:type:`connection`, lport: :bro:type:`port`, rport: :bro:type:`port`, line: :bro:type:`string`)
Generated for Ident error replies.
See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
information about the Ident protocol.
:c: The connection.
:lport: The corresponding request's local port.
:rport: The corresponding request's remote port.
:line: The error description returned by the reply.
.. bro:see:: ident_reply ident_request
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: ident_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, lport: :bro:type:`port`, rport: :bro:type:`port`, user_id: :bro:type:`string`, system: :bro:type:`string`)
Generated for Ident replies.
See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
information about the Ident protocol.
:c: The connection.
:lport: The corresponding request's local port.
:rport: The corresponding request's remote port.
:user_id: The user id returned by the reply.
:system: The operating system returned by the reply.
.. bro:see:: ident_error ident_request
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: ident_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, lport: :bro:type:`port`, rport: :bro:type:`port`)
Generated for Ident requests.
See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
information about the Ident protocol.
:c: The connection.
:lport: The request's local port.
:rport: The request's remote port.
.. bro:see:: ident_error ident_reply
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

36
doc/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro.rst Normal file
View file

@ -0,0 +1,36 @@
:tocdepth: 3
base/bif/plugins/Bro_InterConn.events.bif.bro
=============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================== ===========
:bro:id:`interconn_remove_conn`: :bro:type:`event` Deprecated.
:bro:id:`interconn_stats`: :bro:type:`event` Deprecated.
================================================== ===========
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: interconn_remove_conn
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Deprecated. Will be removed.
.. bro:id:: interconn_stats
:Type: :bro:type:`event` (c: :bro:type:`connection`, os: :bro:type:`interconn_endp_stats`, rs: :bro:type:`interconn_endp_stats`)
Deprecated. Will be removed.

250
doc/scripts/base/bif/plugins/Bro_KRB.events.bif.bro.rst Normal file
View file

@ -0,0 +1,250 @@
:tocdepth: 3
base/bif/plugins/Bro_KRB.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================= ==================================================================
:bro:id:`krb_ap_request`: :bro:type:`event` A Kerberos 5 ``Authentication Header (AP) Request`` as defined
in :rfc:`4120`.
:bro:id:`krb_ap_response`: :bro:type:`event` A Kerberos 5 ``Authentication Header (AP) Response`` as defined
in :rfc:`4120`.
:bro:id:`krb_as_request`: :bro:type:`event` A Kerberos 5 ``Authentication Server (AS) Request`` as defined
in :rfc:`4120`.
:bro:id:`krb_as_response`: :bro:type:`event` A Kerberos 5 ``Authentication Server (AS) Response`` as defined
in :rfc:`4120`.
:bro:id:`krb_cred`: :bro:type:`event` A Kerberos 5 ``Credential Message`` as defined in :rfc:`4120`.
:bro:id:`krb_error`: :bro:type:`event` A Kerberos 5 ``Error Message`` as defined in :rfc:`4120`.
:bro:id:`krb_priv`: :bro:type:`event` A Kerberos 5 ``Private Message`` as defined in :rfc:`4120`.
:bro:id:`krb_safe`: :bro:type:`event` A Kerberos 5 ``Safe Message`` as defined in :rfc:`4120`.
:bro:id:`krb_tgs_request`: :bro:type:`event` A Kerberos 5 ``Ticket Granting Service (TGS) Request`` as defined
in :rfc:`4120`.
:bro:id:`krb_tgs_response`: :bro:type:`event` A Kerberos 5 ``Ticket Granting Service (TGS) Response`` as defined
in :rfc:`4120`.
============================================= ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: krb_ap_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, ticket: :bro:type:`KRB::Ticket`, opts: :bro:type:`KRB::AP_Options`)
A Kerberos 5 ``Authentication Header (AP) Request`` as defined
in :rfc:`4120`. This message contains authentication information
that should be part of the first message in an authenticated
transaction.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:c: The connection over which this Kerberos message was sent.
:ticket: The Kerberos ticket being used for authentication.
:opts: A Kerberos AP options data structure.
.. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. bro:id:: krb_ap_response
:Type: :bro:type:`event` (c: :bro:type:`connection`)
A Kerberos 5 ``Authentication Header (AP) Response`` as defined
in :rfc:`4120`. This is used if mutual authentication is desired.
All of the interesting information in here is encrypted, so the event
doesn't have much useful data, but it's provided in case it's important
to know that this message was sent.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:c: The connection over which this Kerberos message was sent.
.. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_priv krb_safe krb_cred krb_error
.. bro:id:: krb_as_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`KRB::KDC_Request`)
A Kerberos 5 ``Authentication Server (AS) Request`` as defined
in :rfc:`4120`. The AS request contains a username of the client
requesting authentication, and returns an AS reply with an
encrypted Ticket Granting Ticket (TGT) for that user. The TGT
can then be used to request further tickets for other services.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:c: The connection over which this Kerberos message was sent.
:msg: A Kerberos KDC request message data structure.
.. bro:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. bro:id:: krb_as_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`KRB::KDC_Response`)
A Kerberos 5 ``Authentication Server (AS) Response`` as defined
in :rfc:`4120`. Following the AS request for a user, an AS reply
contains an encrypted Ticket Granting Ticket (TGT) for that user.
The TGT can then be used to request further tickets for other services.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:c: The connection over which this Kerberos message was sent.
:msg: A Kerberos KDC reply message data structure.
.. bro:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. bro:id:: krb_cred
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, tickets: :bro:type:`KRB::Ticket_Vector`)
A Kerberos 5 ``Credential Message`` as defined in :rfc:`4120`. This is
a private (encrypted) message to forward credentials.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:c: The connection over which this Kerberos message was sent.
:is_orig: Whether the originator of the connection sent this message.
:tickets: Tickets obtained from the KDC that are being forwarded.
.. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_priv krb_safe krb_error
.. bro:id:: krb_error
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`KRB::Error_Msg`)
A Kerberos 5 ``Error Message`` as defined in :rfc:`4120`.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:c: The connection over which this Kerberos message was sent.
:msg: A Kerberos error message data structure.
.. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_priv krb_safe krb_cred
.. bro:id:: krb_priv
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
A Kerberos 5 ``Private Message`` as defined in :rfc:`4120`. This
is a private (encrypted) application message, so the event doesn't
have much useful data, but it's provided in case it's important to
know that this message was sent.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:c: The connection over which this Kerberos message was sent.
:is_orig: Whether the originator of the connection sent this message.
.. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_safe krb_cred krb_error
.. bro:id:: krb_safe
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`KRB::SAFE_Msg`)
A Kerberos 5 ``Safe Message`` as defined in :rfc:`4120`. This is a
safe (checksummed) application message.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:c: The connection over which this Kerberos message was sent.
:is_orig: Whether the originator of the connection sent this message.
:msg: A Kerberos SAFE message data structure.
.. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_priv krb_cred krb_error
.. bro:id:: krb_tgs_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`KRB::KDC_Request`)
A Kerberos 5 ``Ticket Granting Service (TGS) Request`` as defined
in :rfc:`4120`. Following the Authentication Server exchange, if
successful, the client now has a Ticket Granting Ticket (TGT). To
authenticate to a Kerberized service, the client requests a Service
Ticket, which will be returned in the TGS reply.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:c: The connection over which this Kerberos message was sent.
:msg: A Kerberos KDC request message data structure.
.. bro:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. bro:id:: krb_tgs_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`KRB::KDC_Response`)
A Kerberos 5 ``Ticket Granting Service (TGS) Response`` as defined
in :rfc:`4120`. This message returns a Service Ticket to the client,
which is encrypted with the service's long-term key, and which the
client can use to authenticate to that service.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:c: The connection over which this Kerberos message was sent.
:msg: A Kerberos KDC reply message data structure.
.. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error

16
doc/scripts/base/bif/plugins/Bro_KRB.types.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_KRB.types.bif.bro
======================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: KRB
:Namespaces: GLOBAL, KRB
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

547
doc/scripts/base/bif/plugins/Bro_Login.events.bif.bro.rst Normal file
View file

@ -0,0 +1,547 @@
:tocdepth: 3
base/bif/plugins/Bro_Login.events.bif.bro
=========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================== =========================================================================
:bro:id:`activating_encryption`: :bro:type:`event` Generated for Telnet sessions when encryption is activated.
:bro:id:`authentication_accepted`: :bro:type:`event` Generated when a Telnet authentication has been successful.
:bro:id:`authentication_rejected`: :bro:type:`event` Generated when a Telnet authentication has been unsuccessful.
:bro:id:`authentication_skipped`: :bro:type:`event` Generated for Telnet/Rlogin sessions when a pattern match indicates
that no authentication is performed.
:bro:id:`bad_option`: :bro:type:`event` Generated for an ill-formed or unrecognized Telnet option.
:bro:id:`bad_option_termination`: :bro:type:`event` Generated for a Telnet option that's incorrectly terminated.
:bro:id:`inconsistent_option`: :bro:type:`event` Generated for an inconsistent Telnet option.
:bro:id:`login_confused`: :bro:type:`event` Generated when tracking of Telnet/Rlogin authentication failed.
:bro:id:`login_confused_text`: :bro:type:`event` Generated after getting confused while tracking a Telnet/Rlogin
authentication dialog.
:bro:id:`login_display`: :bro:type:`event` Generated for clients transmitting an X11 DISPLAY in a Telnet session.
:bro:id:`login_failure`: :bro:type:`event` Generated for Telnet/Rlogin login failures.
:bro:id:`login_input_line`: :bro:type:`event` Generated for lines of input on Telnet/Rlogin sessions.
:bro:id:`login_output_line`: :bro:type:`event` Generated for lines of output on Telnet/Rlogin sessions.
:bro:id:`login_prompt`: :bro:type:`event` Generated for clients transmitting a terminal prompt in a Telnet session.
:bro:id:`login_success`: :bro:type:`event` Generated for successful Telnet/Rlogin logins.
:bro:id:`login_terminal`: :bro:type:`event` Generated for clients transmitting a terminal type in a Telnet session.
:bro:id:`rsh_reply`: :bro:type:`event` Generated for client side commands on an RSH connection.
:bro:id:`rsh_request`: :bro:type:`event` Generated for client side commands on an RSH connection.
==================================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: activating_encryption
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Generated for Telnet sessions when encryption is activated. The Telnet
protocol includes options for negotiating encryption. When such a series of
options is successfully negotiated, the event engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:c: The connection.
.. bro:see:: authentication_accepted authentication_rejected authentication_skipped
login_confused login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. bro:id:: authentication_accepted
:Type: :bro:type:`event` (name: :bro:type:`string`, c: :bro:type:`connection`)
Generated when a Telnet authentication has been successful. The Telnet
protocol includes options for negotiating authentication. When such an
option is sent from client to server and the server replies that it accepts
the authentication, then the event engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:name: The authenticated name.
:c: The connection.
.. bro:see:: authentication_rejected authentication_skipped login_success
.. note:: This event inspects the corresponding Telnet option
while :bro:id:`login_success` heuristically determines success by watching
session data.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: authentication_rejected
:Type: :bro:type:`event` (name: :bro:type:`string`, c: :bro:type:`connection`)
Generated when a Telnet authentication has been unsuccessful. The Telnet
protocol includes options for negotiating authentication. When such an option
is sent from client to server and the server replies that it did not accept
the authentication, then the event engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:name: The attempted authentication name.
:c: The connection.
.. bro:see:: authentication_accepted authentication_skipped login_failure
.. note:: This event inspects the corresponding Telnet option
while :bro:id:`login_success` heuristically determines failure by watching
session data.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: authentication_skipped
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Generated for Telnet/Rlogin sessions when a pattern match indicates
that no authentication is performed.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:c: The connection.
.. bro:see:: authentication_accepted authentication_rejected direct_login_prompts
get_login_state login_failure_msgs login_non_failure_msgs login_prompts
login_success_msgs login_timeouts set_login_state
.. note:: The login analyzer depends on a set of script-level variables that
need to be configured with patterns identifying activity. This
configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
the analyzer is therefore not directly usable at the moment.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: bad_option
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Generated for an ill-formed or unrecognized Telnet option.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:c: The connection.
.. bro:see:: inconsistent_option bad_option_termination authentication_accepted
authentication_rejected authentication_skipped login_confused
login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: bad_option_termination
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Generated for a Telnet option that's incorrectly terminated.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:c: The connection.
.. bro:see:: inconsistent_option bad_option authentication_accepted
authentication_rejected authentication_skipped login_confused
login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: inconsistent_option
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Generated for an inconsistent Telnet option. Telnet options are specified
by the client and server stating which options they are willing to
support vs. which they are not, and then instructing one another which in
fact they should or should not use for the current connection. If the event
engine sees a peer violate either what the other peer has instructed it to
do, or what it itself offered in terms of options in the past, then the
engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:c: The connection.
.. bro:see:: bad_option bad_option_termination authentication_accepted
authentication_rejected authentication_skipped login_confused
login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. bro:id:: login_confused
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`string`, line: :bro:type:`string`)
Generated when tracking of Telnet/Rlogin authentication failed. As Bro's
*login* analyzer uses a number of heuristics to extract authentication
information, it may become confused. If it can no longer correctly track
the authentication dialog, it raises this event.
:c: The connection.
:msg: Gives the particular problem the heuristics detected (for example,
``multiple_login_prompts`` means that the engine saw several login
prompts in a row, without the type-ahead from the client side presumed
necessary to cause them)
:line: The line of text that caused the heuristics to conclude they were
confused.
.. bro:see:: login_confused_text login_display login_failure login_input_line login_output_line
login_prompt login_success login_terminal direct_login_prompts get_login_state
login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
login_timeouts set_login_state
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: login_confused_text
:Type: :bro:type:`event` (c: :bro:type:`connection`, line: :bro:type:`string`)
Generated after getting confused while tracking a Telnet/Rlogin
authentication dialog. The *login* analyzer generates this even for every
line of user input after it has reported :bro:id:`login_confused` for a
connection.
:c: The connection.
:line: The line the user typed.
.. bro:see:: login_confused login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal direct_login_prompts
get_login_state login_failure_msgs login_non_failure_msgs login_prompts
login_success_msgs login_timeouts set_login_state
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: login_display
:Type: :bro:type:`event` (c: :bro:type:`connection`, display: :bro:type:`string`)
Generated for clients transmitting an X11 DISPLAY in a Telnet session. This
information is extracted out of environment variables sent as Telnet options.
:c: The connection.
:display: The DISPLAY transmitted.
.. bro:see:: login_confused login_confused_text login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: login_failure
:Type: :bro:type:`event` (c: :bro:type:`connection`, user: :bro:type:`string`, client_user: :bro:type:`string`, password: :bro:type:`string`, line: :bro:type:`string`)
Generated for Telnet/Rlogin login failures. The *login* analyzer inspects
Telnet/Rlogin sessions to heuristically extract username and password
information as well as the text returned by the login server. This event is
raised if a login attempt appears to have been unsuccessful.
:c: The connection.
:user: The user name tried.
:client_user: For Telnet connections, this is an empty string, but for Rlogin
connections, it is the client name passed in the initial authentication
information (to check against .rhosts).
:password: The password tried.
:line: The line of text that led the analyzer to conclude that the
authentication had failed.
.. bro:see:: login_confused login_confused_text login_display login_input_line
login_output_line login_prompt login_success login_terminal direct_login_prompts
get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
login_timeouts set_login_state
.. note:: The login analyzer depends on a set of script-level variables that
need to be configured with patterns identifying login attempts. This
configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
the analyzer is therefore not directly usable at the moment.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: login_input_line
:Type: :bro:type:`event` (c: :bro:type:`connection`, line: :bro:type:`string`)
Generated for lines of input on Telnet/Rlogin sessions. The line will have
control characters (such as in-band Telnet options) removed.
:c: The connection.
:line: The input line.
.. bro:see:: login_confused login_confused_text login_display login_failure
login_output_line login_prompt login_success login_terminal rsh_request
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: login_output_line
:Type: :bro:type:`event` (c: :bro:type:`connection`, line: :bro:type:`string`)
Generated for lines of output on Telnet/Rlogin sessions. The line will have
control characters (such as in-band Telnet options) removed.
:c: The connection.
:line: The ouput line.
.. bro:see:: login_confused login_confused_text login_display login_failure
login_input_line login_prompt login_success login_terminal rsh_reply
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: login_prompt
:Type: :bro:type:`event` (c: :bro:type:`connection`, prompt: :bro:type:`string`)
Generated for clients transmitting a terminal prompt in a Telnet session.
This information is extracted out of environment variables sent as Telnet
options.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:c: The connection.
:prompt: The TTYPROMPT transmitted.
.. bro:see:: login_confused login_confused_text login_display login_failure
login_input_line login_output_line login_success login_terminal
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: login_success
:Type: :bro:type:`event` (c: :bro:type:`connection`, user: :bro:type:`string`, client_user: :bro:type:`string`, password: :bro:type:`string`, line: :bro:type:`string`)
Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects
Telnet/Rlogin sessions to heuristically extract username and password
information as well as the text returned by the login server. This event is
raised if a login attempt appears to have been successful.
:c: The connection.
:user: The user name used.
:client_user: For Telnet connections, this is an empty string, but for Rlogin
connections, it is the client name passed in the initial authentication
information (to check against .rhosts).
:password: The password used.
:line: The line of text that led the analyzer to conclude that the
authentication had succeeded.
.. bro:see:: login_confused login_confused_text login_display login_failure
login_input_line login_output_line login_prompt login_terminal
direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs
login_prompts login_success_msgs login_timeouts set_login_state
.. note:: The login analyzer depends on a set of script-level variables that
need to be configured with patterns identifying login attempts. This
configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
the analyzer is therefore not directly usable at the moment.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: login_terminal
:Type: :bro:type:`event` (c: :bro:type:`connection`, terminal: :bro:type:`string`)
Generated for clients transmitting a terminal type in a Telnet session. This
information is extracted out of environment variables sent as Telnet options.
:c: The connection.
:terminal: The TERM value transmitted.
.. bro:see:: login_confused login_confused_text login_display login_failure
login_input_line login_output_line login_prompt login_success
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. bro:id:: rsh_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, client_user: :bro:type:`string`, server_user: :bro:type:`string`, line: :bro:type:`string`)
Generated for client side commands on an RSH connection.
See :rfc:`1258` for more information about the Rlogin/Rsh protocol.
:c: The connection.
:client_user: The client-side user name as sent in the initial protocol
handshake.
:server_user: The server-side user name as sent in the initial protocol
handshake.
:line: The command line sent in the request.
.. bro:see:: rsh_request login_confused login_confused_text login_display
login_failure login_input_line login_output_line login_prompt login_success
login_terminal
.. note:: For historical reasons, these events are separate from the
``login_`` events. Ideally, they would all be handled uniquely.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: rsh_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, client_user: :bro:type:`string`, server_user: :bro:type:`string`, line: :bro:type:`string`, new_session: :bro:type:`bool`)
Generated for client side commands on an RSH connection.
See :rfc:`1258` for more information about the Rlogin/Rsh protocol.
:c: The connection.
:client_user: The client-side user name as sent in the initial protocol
handshake.
:server_user: The server-side user name as sent in the initial protocol
handshake.
:line: The command line sent in the request.
:new_session: True if this is the first command of the Rsh session.
.. bro:see:: rsh_reply login_confused login_confused_text login_display
login_failure login_input_line login_output_line login_prompt login_success
login_terminal
.. note:: For historical reasons, these events are separate from the
``login_`` events. Ideally, they would all be handled uniquely.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

69
doc/scripts/base/bif/plugins/Bro_Login.functions.bif.bro.rst Normal file
View file

@ -0,0 +1,69 @@
:tocdepth: 3
base/bif/plugins/Bro_Login.functions.bif.bro
============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
=============================================== ===================================================================
:bro:id:`get_login_state`: :bro:type:`function` Returns the state of the given login (Telnet or Rlogin) connection.
:bro:id:`set_login_state`: :bro:type:`function` Sets the login state of a connection with a login analyzer.
=============================================== ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: get_login_state
:Type: :bro:type:`function` (cid: :bro:type:`conn_id`) : :bro:type:`count`
Returns the state of the given login (Telnet or Rlogin) connection.
:cid: The connection ID.
:returns: False if the connection is not active or is not tagged as a
login analyzer. Otherwise the function returns the state, which can
be one of:
- ``LOGIN_STATE_AUTHENTICATE``: The connection is in its
initial authentication dialog.
- ``LOGIN_STATE_LOGGED_IN``: The analyzer believes the user has
successfully authenticated.
- ``LOGIN_STATE_SKIP``: The analyzer has skipped any further
processing of the connection.
- ``LOGIN_STATE_CONFUSED``: The analyzer has concluded that it
does not correctly know the state of the connection, and/or
the username associated with it.
.. bro:see:: set_login_state
.. bro:id:: set_login_state
:Type: :bro:type:`function` (cid: :bro:type:`conn_id`, new_state: :bro:type:`count`) : :bro:type:`bool`
Sets the login state of a connection with a login analyzer.
:cid: The connection ID.
:new_state: The new state of the login analyzer. See
:bro:id:`get_login_state` for possible values.
:returns: Returns false if *cid* is not an active connection
or is not tagged as a login analyzer, and true otherwise.
.. bro:see:: get_login_state

280
doc/scripts/base/bif/plugins/Bro_MIME.events.bif.bro.rst Normal file
View file

@ -0,0 +1,280 @@
:tocdepth: 3
base/bif/plugins/Bro_MIME.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================== =============================================================================
:bro:id:`mime_all_data`: :bro:type:`event` Generated for passing on all data decoded from a single email MIME
message.
:bro:id:`mime_all_headers`: :bro:type:`event` Generated for MIME headers extracted from email MIME entities, passing all
headers at once.
:bro:id:`mime_begin_entity`: :bro:type:`event` Generated when starting to parse an email MIME entity.
:bro:id:`mime_content_hash`: :bro:type:`event` Generated for decoded MIME entities extracted from email messages, passing on
their MD5 checksums.
:bro:id:`mime_end_entity`: :bro:type:`event` Generated when finishing parsing an email MIME entity.
:bro:id:`mime_entity_data`: :bro:type:`event` Generated for data decoded from an email MIME entity.
:bro:id:`mime_event`: :bro:type:`event` Generated for errors found when decoding email MIME entities.
:bro:id:`mime_one_header`: :bro:type:`event` Generated for individual MIME headers extracted from email MIME
entities.
:bro:id:`mime_segment_data`: :bro:type:`event` Generated for chunks of decoded MIME data from email MIME entities.
============================================== =============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: mime_all_data
:Type: :bro:type:`event` (c: :bro:type:`connection`, length: :bro:type:`count`, data: :bro:type:`string`)
Generated for passing on all data decoded from a single email MIME
message. If an email message has more than one MIME entity, this event
combines all their data into a single value for analysis. Note that because
of the potentially significant buffering necessary, using this event can be
expensive.
Bro's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:c: The connection.
:length: The length of *data*.
:data: The raw data of all MIME entities concatenated.
.. bro:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data
.. note:: While Bro also decodes MIME entities extracted from HTTP
sessions, there's no corresponding event for that currently.
.. bro:id:: mime_all_headers
:Type: :bro:type:`event` (c: :bro:type:`connection`, hlist: :bro:type:`mime_header_list`)
Generated for MIME headers extracted from email MIME entities, passing all
headers at once. MIME is a protocol-independent data format for encoding
text and files, along with corresponding metadata, for transmission.
Bro's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:c: The connection.
:hlist: A *table* containing all headers extracted from the current entity.
The table is indexed by the position of the header (1 for the first,
2 for the second, etc.).
.. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data
http_header http_all_headers
.. note:: Bro also extracts MIME headers from HTTP sessions. For those,
however, it raises :bro:id:`http_header` instead.
.. bro:id:: mime_begin_entity
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Generated when starting to parse an email MIME entity. MIME is a
protocol-independent data format for encoding text and files, along with
corresponding metadata, for transmission. Bro raises this event when it
begins parsing a MIME entity extracted from an email protocol.
Bro's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:c: The connection.
.. bro:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
http_begin_entity
.. note:: Bro also extracts MIME entities from HTTP sessions. For those,
however, it raises :bro:id:`http_begin_entity` instead.
.. bro:id:: mime_content_hash
:Type: :bro:type:`event` (c: :bro:type:`connection`, content_len: :bro:type:`count`, hash_value: :bro:type:`string`)
Generated for decoded MIME entities extracted from email messages, passing on
their MD5 checksums. Bro computes the MD5 over the complete decoded data of
each MIME entity.
Bro's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:c: The connection.
:content_len: The length of the entity being hashed.
:hash_value: The MD5 hash.
.. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data
.. note:: While Bro also decodes MIME entities extracted from HTTP
sessions, there's no corresponding event for that currently.
.. bro:id:: mime_end_entity
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Generated when finishing parsing an email MIME entity. MIME is a
protocol-independent data format for encoding text and files, along with
corresponding metadata, for transmission. Bro raises this event when it
finished parsing a MIME entity extracted from an email protocol.
Bro's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:c: The connection.
.. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
http_end_entity
.. note:: Bro also extracts MIME entities from HTTP sessions. For those,
however, it raises :bro:id:`http_end_entity` instead.
.. bro:id:: mime_entity_data
:Type: :bro:type:`event` (c: :bro:type:`connection`, length: :bro:type:`count`, data: :bro:type:`string`)
Generated for data decoded from an email MIME entity. This event delivers
the complete content of a single MIME entity with the quoted-printable and
and base64 data decoded. In contrast, there is also :bro:id:`mime_segment_data`,
which passes on a sequence of data chunks as they come in. While
``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is
more efficient as Bro does not need to buffer the data. Thus, if possible,
the latter should be preferred.
Bro's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:c: The connection.
:length: The length of *data*.
:data: The raw data of the complete entity.
.. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_event mime_one_header mime_segment_data
.. note:: While Bro also decodes MIME entities extracted from HTTP
sessions, there's no corresponding event for that currently.
.. bro:id:: mime_event
:Type: :bro:type:`event` (c: :bro:type:`connection`, event_type: :bro:type:`string`, detail: :bro:type:`string`)
Generated for errors found when decoding email MIME entities.
Bro's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:c: The connection.
:event_type: A string describing the general category of the problem found
(e.g., ``illegal format``).
:detail: Further more detailed description of the error.
.. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event
.. note:: Bro also extracts MIME headers from HTTP sessions. For those,
however, it raises :bro:id:`http_event` instead.
.. bro:id:: mime_one_header
:Type: :bro:type:`event` (c: :bro:type:`connection`, h: :bro:type:`mime_header_rec`)
Generated for individual MIME headers extracted from email MIME
entities. MIME is a protocol-independent data format for encoding text and
files, along with corresponding metadata, for transmission.
Bro's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:c: The connection.
:h: The parsed MIME header.
.. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_entity_data mime_event mime_segment_data
http_header http_all_headers
.. note:: Bro also extracts MIME headers from HTTP sessions. For those,
however, it raises :bro:id:`http_header` instead.
.. bro:id:: mime_segment_data
:Type: :bro:type:`event` (c: :bro:type:`connection`, length: :bro:type:`count`, data: :bro:type:`string`)
Generated for chunks of decoded MIME data from email MIME entities. MIME
is a protocol-independent data format for encoding text and files, along with
corresponding metadata, for transmission. As Bro parses the data of an
entity, it raises a sequence of these events, each coming as soon as a new
chunk of data is available. In contrast, there is also
:bro:id:`mime_entity_data`, which passes all of an entities data at once
in a single block. While the latter is more convenient to handle,
``mime_segment_data`` is more efficient as Bro does not need to buffer
the data. Thus, if possible, this event should be preferred.
Bro's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:c: The connection.
:length: The length of *data*.
:data: The raw data of one segment of the current entity.
.. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
mime_segment_length mime_segment_overlap_length
.. note:: Bro also extracts MIME data from HTTP sessions. For those,
however, it raises :bro:id:`http_entity_data` (sic!) instead.

530
doc/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro.rst Normal file
View file

@ -0,0 +1,530 @@
:tocdepth: 3
base/bif/plugins/Bro_Modbus.events.bif.bro
==========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================================== ======================================================================
:bro:id:`modbus_exception`: :bro:type:`event` Generated for any Modbus exception message.
:bro:id:`modbus_mask_write_register_request`: :bro:type:`event` Generated for a Modbus mask write register request.
:bro:id:`modbus_mask_write_register_response`: :bro:type:`event` Generated for a Modbus mask write register request.
:bro:id:`modbus_message`: :bro:type:`event` Generated for any Modbus message regardless if the particular function
is further supported or not.
:bro:id:`modbus_read_coils_request`: :bro:type:`event` Generated for a Modbus read coils request.
:bro:id:`modbus_read_coils_response`: :bro:type:`event` Generated for a Modbus read coils response.
:bro:id:`modbus_read_discrete_inputs_request`: :bro:type:`event` Generated for a Modbus read discrete inputs request.
:bro:id:`modbus_read_discrete_inputs_response`: :bro:type:`event` Generated for a Modbus read discrete inputs response.
:bro:id:`modbus_read_fifo_queue_request`: :bro:type:`event` Generated for a Modbus read FIFO queue request.
:bro:id:`modbus_read_fifo_queue_response`: :bro:type:`event` Generated for a Modbus read FIFO queue response.
:bro:id:`modbus_read_file_record_request`: :bro:type:`event` Generated for a Modbus read file record request.
:bro:id:`modbus_read_file_record_response`: :bro:type:`event` Generated for a Modbus read file record response.
:bro:id:`modbus_read_holding_registers_request`: :bro:type:`event` Generated for a Modbus read holding registers request.
:bro:id:`modbus_read_holding_registers_response`: :bro:type:`event` Generated for a Modbus read holding registers response.
:bro:id:`modbus_read_input_registers_request`: :bro:type:`event` Generated for a Modbus read input registers request.
:bro:id:`modbus_read_input_registers_response`: :bro:type:`event` Generated for a Modbus read input registers response.
:bro:id:`modbus_read_write_multiple_registers_request`: :bro:type:`event` Generated for a Modbus read/write multiple registers request.
:bro:id:`modbus_read_write_multiple_registers_response`: :bro:type:`event` Generated for a Modbus read/write multiple registers response.
:bro:id:`modbus_write_file_record_request`: :bro:type:`event` Generated for a Modbus write file record request.
:bro:id:`modbus_write_file_record_response`: :bro:type:`event` Generated for a Modbus write file record response.
:bro:id:`modbus_write_multiple_coils_request`: :bro:type:`event` Generated for a Modbus write multiple coils request.
:bro:id:`modbus_write_multiple_coils_response`: :bro:type:`event` Generated for a Modbus write multiple coils response.
:bro:id:`modbus_write_multiple_registers_request`: :bro:type:`event` Generated for a Modbus write multiple registers request.
:bro:id:`modbus_write_multiple_registers_response`: :bro:type:`event` Generated for a Modbus write multiple registers response.
:bro:id:`modbus_write_single_coil_request`: :bro:type:`event` Generated for a Modbus write single coil request.
:bro:id:`modbus_write_single_coil_response`: :bro:type:`event` Generated for a Modbus write single coil response.
:bro:id:`modbus_write_single_register_request`: :bro:type:`event` Generated for a Modbus write single register request.
:bro:id:`modbus_write_single_register_response`: :bro:type:`event` Generated for a Modbus write single register response.
========================================================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: modbus_exception
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, code: :bro:type:`count`)
Generated for any Modbus exception message.
:c: The connection.
:headers: The headers for the modbus function.
:code: The exception code.
.. bro:id:: modbus_mask_write_register_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, address: :bro:type:`count`, and_mask: :bro:type:`count`, or_mask: :bro:type:`count`)
Generated for a Modbus mask write register request.
:c: The connection.
:headers: The headers for the modbus function.
:address: The memory address of the register where the masks should be applied.
:and_mask: The value of the logical AND mask to apply to the register.
:or_mask: The value of the logical OR mask to apply to the register.
.. bro:id:: modbus_mask_write_register_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, address: :bro:type:`count`, and_mask: :bro:type:`count`, or_mask: :bro:type:`count`)
Generated for a Modbus mask write register request.
:c: The connection.
:headers: The headers for the modbus function.
:address: The memory address of the register where the masks were applied.
:and_mask: The value of the logical AND mask applied register.
:or_mask: The value of the logical OR mask applied to the register.
.. bro:id:: modbus_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, is_orig: :bro:type:`bool`)
Generated for any Modbus message regardless if the particular function
is further supported or not.
:c: The connection.
:headers: The headers for the modbus function.
:is_orig: True if the event is raised for the originator side.
.. bro:id:: modbus_read_coils_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, start_address: :bro:type:`count`, quantity: :bro:type:`count`)
Generated for a Modbus read coils request.
:c: The connection.
:headers: The headers for the modbus function.
:start_address: The memory address of the first coil to be read.
:quantity: The number of coils to be read.
.. bro:id:: modbus_read_coils_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, coils: :bro:type:`ModbusCoils`)
Generated for a Modbus read coils response.
:c: The connection.
:headers: The headers for the modbus function.
:coils: The coil values returned from the device.
.. bro:id:: modbus_read_discrete_inputs_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, start_address: :bro:type:`count`, quantity: :bro:type:`count`)
Generated for a Modbus read discrete inputs request.
:c: The connection.
:headers: The headers for the modbus function.
:start_address: The memory address of the first coil to be read.
:quantity: The number of coils to be read.
.. bro:id:: modbus_read_discrete_inputs_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, coils: :bro:type:`ModbusCoils`)
Generated for a Modbus read discrete inputs response.
:c: The connection.
:headers: The headers for the modbus function.
:coils: The coil values returned from the device.
.. bro:id:: modbus_read_fifo_queue_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, start_address: :bro:type:`count`)
Generated for a Modbus read FIFO queue request.
:c: The connection.
:headers: The headers for the modbus function.
:start_address: The address of the FIFO queue to read.
.. bro:id:: modbus_read_fifo_queue_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, fifos: :bro:type:`ModbusRegisters`)
Generated for a Modbus read FIFO queue response.
:c: The connection.
:headers: The headers for the modbus function.
:fifos: The register values read from the FIFO queue on the device.
.. bro:id:: modbus_read_file_record_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`)
Generated for a Modbus read file record request.
:c: The connection.
:headers: The headers for the modbus function.
.. note: This event is incomplete. The information from the data structure
is not yet passed through to the event.
.. bro:id:: modbus_read_file_record_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`)
Generated for a Modbus read file record response.
:c: The connection.
:headers: The headers for the modbus function.
.. note: This event is incomplete. The information from the data structure
is not yet passed through to the event.
.. bro:id:: modbus_read_holding_registers_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, start_address: :bro:type:`count`, quantity: :bro:type:`count`)
Generated for a Modbus read holding registers request.
:c: The connection.
:headers: The headers for the modbus function.
:start_address: The memory address of the first register to be read.
:quantity: The number of registers to be read.
.. bro:id:: modbus_read_holding_registers_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, registers: :bro:type:`ModbusRegisters`)
Generated for a Modbus read holding registers response.
:c: The connection.
:headers: The headers for the modbus function.
:registers: The register values returned from the device.
.. bro:id:: modbus_read_input_registers_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, start_address: :bro:type:`count`, quantity: :bro:type:`count`)
Generated for a Modbus read input registers request.
:c: The connection.
:headers: The headers for the modbus function.
:start_address: The memory address of the first register to be read.
:quantity: The number of registers to be read.
.. bro:id:: modbus_read_input_registers_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, registers: :bro:type:`ModbusRegisters`)
Generated for a Modbus read input registers response.
:c: The connection.
:headers: The headers for the modbus function.
:registers: The register values returned from the device.
.. bro:id:: modbus_read_write_multiple_registers_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, read_start_address: :bro:type:`count`, read_quantity: :bro:type:`count`, write_start_address: :bro:type:`count`, write_registers: :bro:type:`ModbusRegisters`)
Generated for a Modbus read/write multiple registers request.
:c: The connection.
:headers: The headers for the modbus function.
:read_start_address: The memory address of the first register to be read.
:read_quantity: The number of registers to read.
:write_start_address: The memory address of the first register to be written.
:write_registers: The values to be written to the registers.
.. bro:id:: modbus_read_write_multiple_registers_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, written_registers: :bro:type:`ModbusRegisters`)
Generated for a Modbus read/write multiple registers response.
:c: The connection.
:headers: The headers for the modbus function.
:written_registers: The register values read from the registers specified in
the request.
.. bro:id:: modbus_write_file_record_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`)
Generated for a Modbus write file record request.
:c: The connection.
:headers: The headers for the modbus function.
.. note: This event is incomplete. The information from the data structure
is not yet passed through to the event.
.. bro:id:: modbus_write_file_record_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`)
Generated for a Modbus write file record response.
:c: The connection.
:headers: The headers for the modbus function.
.. note: This event is incomplete. The information from the data structure
is not yet passed through to the event.
.. bro:id:: modbus_write_multiple_coils_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, start_address: :bro:type:`count`, coils: :bro:type:`ModbusCoils`)
Generated for a Modbus write multiple coils request.
:c: The connection.
:headers: The headers for the modbus function.
:start_address: The memory address of the first coil to be written.
:coils: The values to be written to the coils.
.. bro:id:: modbus_write_multiple_coils_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, start_address: :bro:type:`count`, quantity: :bro:type:`count`)
Generated for a Modbus write multiple coils response.
:c: The connection.
:headers: The headers for the modbus function.
:start_address: The memory address of the first coil that was written.
:quantity: The quantity of coils that were written.
.. bro:id:: modbus_write_multiple_registers_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, start_address: :bro:type:`count`, registers: :bro:type:`ModbusRegisters`)
Generated for a Modbus write multiple registers request.
:c: The connection.
:headers: The headers for the modbus function.
:start_address: The memory address of the first register to be written.
:registers: The values to be written to the registers.
.. bro:id:: modbus_write_multiple_registers_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, start_address: :bro:type:`count`, quantity: :bro:type:`count`)
Generated for a Modbus write multiple registers response.
:c: The connection.
:headers: The headers for the modbus function.
:start_address: The memory address of the first register that was written.
:quantity: The quantity of registers that were written.
.. bro:id:: modbus_write_single_coil_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, address: :bro:type:`count`, value: :bro:type:`bool`)
Generated for a Modbus write single coil request.
:c: The connection.
:headers: The headers for the modbus function.
:address: The memory address of the coil to be written.
:value: The value to be written to the coil.
.. bro:id:: modbus_write_single_coil_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, address: :bro:type:`count`, value: :bro:type:`bool`)
Generated for a Modbus write single coil response.
:c: The connection.
:headers: The headers for the modbus function.
:address: The memory address of the coil that was written.
:value: The value that was written to the coil.
.. bro:id:: modbus_write_single_register_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, address: :bro:type:`count`, value: :bro:type:`count`)
Generated for a Modbus write single register request.
:c: The connection.
:headers: The headers for the modbus function.
:address: The memory address of the register to be written.
:value: The value to be written to the register.
.. bro:id:: modbus_write_single_register_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, headers: :bro:type:`ModbusHeaders`, address: :bro:type:`count`, value: :bro:type:`count`)
Generated for a Modbus write single register response.
:c: The connection.
:headers: The headers for the modbus function.
:address: The memory address of the register that was written.
:value: The value that was written to the register.

138
doc/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro.rst Normal file
View file

@ -0,0 +1,138 @@
:tocdepth: 3
base/bif/plugins/Bro_MySQL.events.bif.bro
=========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================== ======================================================================================================
:bro:id:`mysql_command_request`: :bro:type:`event` Generated for a command request from a MySQL client.
:bro:id:`mysql_error`: :bro:type:`event` Generated for an unsuccessful MySQL response.
:bro:id:`mysql_handshake`: :bro:type:`event` Generated for a client handshake response packet, which includes the username the client is attempting
to connect as.
:bro:id:`mysql_ok`: :bro:type:`event` Generated for a successful MySQL response.
:bro:id:`mysql_result_row`: :bro:type:`event` Generated for each MySQL ResultsetRow response packet.
:bro:id:`mysql_server_version`: :bro:type:`event` Generated for the initial server handshake packet, which includes the MySQL server version.
================================================== ======================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: mysql_command_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, command: :bro:type:`count`, arg: :bro:type:`string`)
Generated for a command request from a MySQL client.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:c: The connection.
:command: The numerical code of the command issued.
:arg: The argument for the command (empty string if not provided).
.. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
.. bro:id:: mysql_error
:Type: :bro:type:`event` (c: :bro:type:`connection`, code: :bro:type:`count`, msg: :bro:type:`string`)
Generated for an unsuccessful MySQL response.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:c: The connection.
:code: The error code.
:msg: Any extra details about the error (empty string if not provided).
.. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake
.. bro:id:: mysql_handshake
:Type: :bro:type:`event` (c: :bro:type:`connection`, username: :bro:type:`string`)
Generated for a client handshake response packet, which includes the username the client is attempting
to connect as.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:c: The connection.
:username: The username supplied by the client
.. bro:see:: mysql_command_request mysql_error mysql_ok mysql_server_version
.. bro:id:: mysql_ok
:Type: :bro:type:`event` (c: :bro:type:`connection`, affected_rows: :bro:type:`count`)
Generated for a successful MySQL response.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:c: The connection.
:affected_rows: The number of rows that were affected.
.. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
.. bro:id:: mysql_result_row
:Type: :bro:type:`event` (c: :bro:type:`connection`, row: :bro:type:`string_vec`)
Generated for each MySQL ResultsetRow response packet.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:c: The connection.
:row: The result row data.
.. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok
.. bro:id:: mysql_server_version
:Type: :bro:type:`event` (c: :bro:type:`connection`, ver: :bro:type:`string`)
Generated for the initial server handshake packet, which includes the MySQL server version.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:c: The connection.
:ver: The server version string.
.. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake

15
doc/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Bro_NCP.consts.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

86
doc/scripts/base/bif/plugins/Bro_NCP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,86 @@
:tocdepth: 3
base/bif/plugins/Bro_NCP.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================== ===================================================
:bro:id:`ncp_reply`: :bro:type:`event` Generated for NCP replies (Netware Core Protocol).
:bro:id:`ncp_request`: :bro:type:`event` Generated for NCP requests (Netware Core Protocol).
======================================== ===================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: ncp_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, frame_type: :bro:type:`count`, length: :bro:type:`count`, req_frame: :bro:type:`count`, req_func: :bro:type:`count`, completion_code: :bro:type:`count`)
Generated for NCP replies (Netware Core Protocol).
See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for
more information about the NCP protocol.
:c: The connection.
:frame_type: The frame type, as specified by the protocol.
:length: The length of the request body, excluding the frame header.
:req_frame: The frame type from the corresponding request.
:req_func: The function code from the corresponding request.
:completion_code: The reply's completion code, as specified by the protocol.
.. bro:see:: ncp_request
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: ncp_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, frame_type: :bro:type:`count`, length: :bro:type:`count`, func: :bro:type:`count`)
Generated for NCP requests (Netware Core Protocol).
See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for
more information about the NCP protocol.
:c: The connection.
:frame_type: The frame type, as specified by the protocol.
:length: The length of the request body, excluding the frame header.
:func: The requested function, as specified by the protocol.
.. bro:see:: ncp_reply
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

67
doc/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro.rst Normal file
View file

@ -0,0 +1,67 @@
:tocdepth: 3
base/bif/plugins/Bro_NTLM.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================== ============================================================================
:bro:id:`ntlm_authenticate`: :bro:type:`event` Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
:bro:id:`ntlm_challenge`: :bro:type:`event` Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
:bro:id:`ntlm_negotiate`: :bro:type:`event` Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
============================================== ============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: ntlm_authenticate
:Type: :bro:type:`event` (c: :bro:type:`connection`, request: :bro:type:`NTLM::Authenticate`)
Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
:c: The connection.
:request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
.. bro:see:: ntlm_negotiate ntlm_challenge
.. bro:id:: ntlm_challenge
:Type: :bro:type:`event` (c: :bro:type:`connection`, challenge: :bro:type:`NTLM::Challenge`)
Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
:c: The connection.
:negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
.. bro:see:: ntlm_negotiate ntlm_authenticate
.. bro:id:: ntlm_negotiate
:Type: :bro:type:`event` (c: :bro:type:`connection`, negotiate: :bro:type:`NTLM::Negotiate`)
Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
:c: The connection.
:negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
.. bro:see:: ntlm_challenge ntlm_authenticate

16
doc/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_NTLM.types.bif.bro
=======================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: NTLM
:Namespaces: GLOBAL, NTLM
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

50
doc/scripts/base/bif/plugins/Bro_NTP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,50 @@
:tocdepth: 3
base/bif/plugins/Bro_NTP.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================== ===============================
:bro:id:`ntp_message`: :bro:type:`event` Generated for all NTP messages.
======================================== ===============================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: ntp_message
:Type: :bro:type:`event` (u: :bro:type:`connection`, msg: :bro:type:`ntp_msg`, excess: :bro:type:`string`)
Generated for all NTP messages. Different from many other of Bro's events,
this one is generated for both client-side and server-side messages.
See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
more information about the NTP protocol.
:u: The connection record describing the corresponding UDP flow.
:msg: The parsed NTP message.
:excess: The raw bytes of any optional parts of the NTP packet. Bro does not
further parse any optional fields.
.. bro:see:: ntp_session_timeout
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

277
doc/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro.rst Normal file
View file

@ -0,0 +1,277 @@
:tocdepth: 3
base/bif/plugins/Bro_NetBIOS.events.bif.bro
===========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================= =====================================================================
:bro:id:`netbios_session_accepted`: :bro:type:`event` Generated for NetBIOS messages of type *positive session response*.
:bro:id:`netbios_session_keepalive`: :bro:type:`event` Generated for NetBIOS messages of type *keep-alive*.
:bro:id:`netbios_session_message`: :bro:type:`event` Generated for all NetBIOS SSN and DGM messages.
:bro:id:`netbios_session_raw_message`: :bro:type:`event` Generated for NetBIOS messages of type *session message* that are not
carrying an SMB payload.
:bro:id:`netbios_session_rejected`: :bro:type:`event` Generated for NetBIOS messages of type *negative session response*.
:bro:id:`netbios_session_request`: :bro:type:`event` Generated for NetBIOS messages of type *session request*.
:bro:id:`netbios_session_ret_arg_resp`: :bro:type:`event` Generated for NetBIOS messages of type *retarget response*.
========================================================= =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: netbios_session_accepted
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`string`)
Generated for NetBIOS messages of type *positive session response*. Bro's
NetBIOS analyzer processes the NetBIOS session service running on TCP port
139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Bro parses.
:c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. bro:see:: netbios_session_keepalive netbios_session_message
netbios_session_raw_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: netbios_session_keepalive
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`string`)
Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer
processes the NetBIOS session service running on TCP port 139, and (despite
its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Bro parses.
:c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. bro:see:: netbios_session_accepted netbios_session_message
netbios_session_raw_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: netbios_session_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg_type: :bro:type:`count`, data_len: :bro:type:`count`)
Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer
processes the NetBIOS session service running on TCP port 139, and (despite
its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Bro parses.
:c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:is_orig: True if the message was sent by the originator of the connection.
:msg_type: The general type of message, as defined in Section 4.3.1 of
:rfc:`1002`.
:data_len: The length of the message's payload.
.. bro:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_raw_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: netbios_session_raw_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`string`)
Generated for NetBIOS messages of type *session message* that are not
carrying an SMB payload.
NetBIOS analyzer processes the NetBIOS session service running on TCP port
139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Bro parses.
:c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:is_orig: True if the message was sent by the originator of the connection.
:msg: The raw payload of the message sent, excluding the common NetBIOS
header (i.e., the ``user_data``).
.. bro:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: This is an oddly named event. In fact, it's probably an odd event
to have to begin with.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: netbios_session_rejected
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`string`)
Generated for NetBIOS messages of type *negative session response*. Bro's
NetBIOS analyzer processes the NetBIOS session service running on TCP port
139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Bro parses.
:c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. bro:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_raw_message netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: netbios_session_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`string`)
Generated for NetBIOS messages of type *session request*. Bro's NetBIOS
analyzer processes the NetBIOS session service running on TCP port 139, and
(despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Bro parses.
:c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. bro:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_raw_message netbios_session_rejected
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: netbios_session_ret_arg_resp
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`string`)
Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS
analyzer processes the NetBIOS session service running on TCP port 139, and
(despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Bro parses.
:c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. bro:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_raw_message netbios_session_rejected
netbios_session_request decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: This is an oddly named event.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

53
doc/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro.rst Normal file
View file

@ -0,0 +1,53 @@
:tocdepth: 3
base/bif/plugins/Bro_NetBIOS.functions.bif.bro
==============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
======================================================== ================================================================
:bro:id:`decode_netbios_name`: :bro:type:`function` Decode a NetBIOS name.
:bro:id:`decode_netbios_name_type`: :bro:type:`function` Converts a NetBIOS name type to its corresponding numeric value.
======================================================== ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: decode_netbios_name
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`string`
Decode a NetBIOS name. See http://support.microsoft.com/kb/194203.
:name: The encoded NetBIOS name, e.g., ``"FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF"``.
:returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAME"``.
.. bro:see:: decode_netbios_name_type
.. bro:id:: decode_netbios_name_type
:Type: :bro:type:`function` (name: :bro:type:`string`) : :bro:type:`count`
Converts a NetBIOS name type to its corresponding numeric value.
See http://support.microsoft.com/kb/163409.
:name: The NetBIOS name type.
:returns: The numeric value of *name*.
.. bro:see:: decode_netbios_name

16
doc/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_NoneWriter.none.bif.bro
============================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: LogNone
:Namespaces: GLOBAL, LogNone
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

110
doc/scripts/base/bif/plugins/Bro_PE.events.bif.bro.rst Normal file
View file

@ -0,0 +1,110 @@
:tocdepth: 3
base/bif/plugins/Bro_PE.events.bif.bro
======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ===================================================================
:bro:id:`pe_dos_code`: :bro:type:`event` A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
:bro:id:`pe_dos_header`: :bro:type:`event` A :abbr:`PE (Portable Executable)` file DOS header was parsed.
:bro:id:`pe_file_header`: :bro:type:`event` A :abbr:`PE (Portable Executable)` file file header was parsed.
:bro:id:`pe_optional_header`: :bro:type:`event` A :abbr:`PE (Portable Executable)` file optional header was parsed.
:bro:id:`pe_section_header`: :bro:type:`event` A :abbr:`PE (Portable Executable)` file section header was parsed.
=============================================== ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: pe_dos_code
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, code: :bro:type:`string`)
A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
The stub is a valid application that runs under MS-DOS, by default
to inform the user that the program can't be run in DOS mode.
:f: The file.
:code: The DOS stub
.. bro:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header
.. bro:id:: pe_dos_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::DOSHeader`)
A :abbr:`PE (Portable Executable)` file DOS header was parsed.
This is the top-level header and contains information like the
size of the file, initial value of registers, etc.
:f: The file.
:h: The parsed DOS header information.
.. bro:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header
.. bro:id:: pe_file_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::FileHeader`)
A :abbr:`PE (Portable Executable)` file file header was parsed.
This header contains information like the target machine,
the timestamp when the file was created, the number of sections, and
pointers to other parts of the file.
:f: The file.
:h: The parsed file header information.
.. bro:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header
.. bro:id:: pe_optional_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::OptionalHeader`)
A :abbr:`PE (Portable Executable)` file optional header was parsed.
This header is required for executable files, but not for object files.
It contains information like OS requirements to execute the file, the
original entry point address, and information needed to load the file
into memory.
:f: The file.
:h: The parsed optional header information.
.. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header
.. bro:id:: pe_section_header
:Type: :bro:type:`event` (f: :bro:type:`fa_file`, h: :bro:type:`PE::SectionHeader`)
A :abbr:`PE (Portable Executable)` file section header was parsed.
This header contains information like the section name, size, address,
and characteristics.
:f: The file.
:h: The parsed section header information.
.. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header

234
doc/scripts/base/bif/plugins/Bro_POP3.events.bif.bro.rst Normal file
View file

@ -0,0 +1,234 @@
:tocdepth: 3
base/bif/plugins/Bro_POP3.events.bif.bro
========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ===================================================================
:bro:id:`pop3_data`: :bro:type:`event` Generated for server-side multi-line responses on POP3 connections.
:bro:id:`pop3_login_failure`: :bro:type:`event` Generated for unsuccessful authentications on POP3 connections.
:bro:id:`pop3_login_success`: :bro:type:`event` Generated for successful authentications on POP3 connections.
:bro:id:`pop3_reply`: :bro:type:`event` Generated for server-side replies to commands on POP3 connections.
:bro:id:`pop3_request`: :bro:type:`event` Generated for client-side commands on POP3 connections.
:bro:id:`pop3_starttls`: :bro:type:`event` Generated when a POP3 connection goes encrypted.
:bro:id:`pop3_unexpected`: :bro:type:`event` Generated for errors encountered on POP3 sessions.
=============================================== ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: pop3_data
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, data: :bro:type:`string`)
Generated for server-side multi-line responses on POP3 connections. POP3
connections use multi-line responses to send bulk data, such as the actual
mails. This event is generated once for each line that's part of such a
response.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:c: The connection.
:is_orig: True if the data was sent by the originator of the TCP connection.
:data: The data sent.
.. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
pop3_unexpected
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: pop3_login_failure
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, user: :bro:type:`string`, password: :bro:type:`string`)
Generated for unsuccessful authentications on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:c: The connection.
:is_orig: Always false.
:user: The user name attempted for authentication. The event is only
generated if a non-empty user name was used.
:password: The password attempted for authentication.
.. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request
pop3_unexpected
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: pop3_login_success
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, user: :bro:type:`string`, password: :bro:type:`string`)
Generated for successful authentications on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:c: The connection.
:is_orig: Always false.
:user: The user name used for authentication. The event is only generated if
a non-empty user name was used.
:password: The password used for authentication.
.. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request
pop3_unexpected
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: pop3_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, cmd: :bro:type:`string`, msg: :bro:type:`string`)
Generated for server-side replies to commands on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:c: The connection.
:is_orig: True if the command was sent by the originator of the TCP
connection.
:cmd: The success indicator sent by the server. This corresponds to the
first token on the line sent, and should be either ``OK`` or ``ERR``.
:msg: The textual description the server sent along with *cmd*.
.. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request
pop3_unexpected
.. todo:: This event is receiving odd parameters, should unify.
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: pop3_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, command: :bro:type:`string`, arg: :bro:type:`string`)
Generated for client-side commands on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:c: The connection.
:is_orig: True if the command was sent by the originator of the TCP
connection.
:command: The command sent.
:arg: The argument to the command.
.. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
pop3_unexpected
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: pop3_starttls
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Generated when a POP3 connection goes encrypted. While POP3 is by default a
clear-text protocol, extensions exist to switch to encryption. This event is
generated if that happens and the analyzer then stops processing the
connection.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:c: The connection.
.. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
pop3_request pop3_unexpected
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. bro:id:: pop3_unexpected
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`string`, detail: :bro:type:`string`)
Generated for errors encountered on POP3 sessions. If the POP3 analyzer
finds state transitions that do not conform to the protocol specification,
or other situations it can't handle, it raises this event.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:c: The connection.
:is_orig: True if the data was sent by the originator of the TCP connection.
:msg: A textual description of the situation.
:detail: The input that triggered the event.
.. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
.. todo:: Bro's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

59
doc/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro.rst Normal file
View file

@ -0,0 +1,59 @@
:tocdepth: 3
base/bif/plugins/Bro_RADIUS.events.bif.bro
==========================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================= ====================================
:bro:id:`radius_attribute`: :bro:type:`event` Generated for each RADIUS attribute.
:bro:id:`radius_message`: :bro:type:`event` Generated for RADIUS messages.
============================================= ====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: radius_attribute
:Type: :bro:type:`event` (c: :bro:type:`connection`, attr_type: :bro:type:`count`, value: :bro:type:`string`)
Generated for each RADIUS attribute.
See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
information about RADIUS.
:c: The connection.
:attr_type: The value of the code field (1 == User-Name, 2 == User-Password, etc.).
:value: The data/value bound to the attribute.
.. bro:id:: radius_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, result: :bro:type:`RADIUS::Message`)
Generated for RADIUS messages.
See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
information about RADIUS.
:c: The connection.
:result: A record containing fields parsed from a RADIUS packet.

134
doc/scripts/base/bif/plugins/Bro_RDP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,134 @@
:tocdepth: 3
base/bif/plugins/Bro_RDP.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================================== ================================================
:bro:id:`rdp_begin_encryption`: :bro:type:`event` Generated when an RDP session becomes encrypted.
:bro:id:`rdp_client_core_data`: :bro:type:`event` Generated for MCS client requests.
:bro:id:`rdp_connect_request`: :bro:type:`event` Generated for X.224 client requests.
:bro:id:`rdp_gcc_server_create_response`: :bro:type:`event` Generated for MCS server responses.
:bro:id:`rdp_negotiation_failure`: :bro:type:`event` Generated for RDP Negotiation Failure messages.
:bro:id:`rdp_negotiation_response`: :bro:type:`event` Generated for RDP Negotiation Response messages.
:bro:id:`rdp_server_certificate`: :bro:type:`event` Generated for a server certificate section.
:bro:id:`rdp_server_security`: :bro:type:`event` Generated for MCS server responses.
=========================================================== ================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: rdp_begin_encryption
:Type: :bro:type:`event` (c: :bro:type:`connection`, security_protocol: :bro:type:`count`)
Generated when an RDP session becomes encrypted.
:c: The connection record for the underlying transport-layer session/flow.
:security_protocol: The security protocol being used for the session.
.. bro:id:: rdp_client_core_data
:Type: :bro:type:`event` (c: :bro:type:`connection`, data: :bro:type:`RDP::ClientCoreData`)
Generated for MCS client requests.
:c: The connection record for the underlying transport-layer session/flow.
:data: The data contained in the client core data structure.
.. bro:id:: rdp_connect_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, cookie: :bro:type:`string`)
Generated for X.224 client requests.
:c: The connection record for the underlying transport-layer session/flow.
:cookie: The cookie included in the request.
.. bro:id:: rdp_gcc_server_create_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, result: :bro:type:`count`)
Generated for MCS server responses.
:c: The connection record for the underlying transport-layer session/flow.
:result: The 8-bit integer representing the GCC Conference Create Response result.
.. bro:id:: rdp_negotiation_failure
:Type: :bro:type:`event` (c: :bro:type:`connection`, failure_code: :bro:type:`count`)
Generated for RDP Negotiation Failure messages.
:c: The connection record for the underlying transport-layer session/flow.
:failure_code: The failure code sent by the server.
.. bro:id:: rdp_negotiation_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, security_protocol: :bro:type:`count`)
Generated for RDP Negotiation Response messages.
:c: The connection record for the underlying transport-layer session/flow.
:security_protocol: The security protocol selected by the server.
.. bro:id:: rdp_server_certificate
:Type: :bro:type:`event` (c: :bro:type:`connection`, cert_type: :bro:type:`count`, permanently_issued: :bro:type:`bool`)
Generated for a server certificate section. If multiple X.509
certificates are included in chain, this event will still
only be generated a single time.
:c: The connection record for the underlying transport-layer session/flow.
:cert_type: Indicates the type of certificate.
:permanently_issued: Value will be true is the certificate(s) is permanent on the server.
.. bro:id:: rdp_server_security
:Type: :bro:type:`event` (c: :bro:type:`connection`, encryption_method: :bro:type:`count`, encryption_level: :bro:type:`count`)
Generated for MCS server responses.
:c: The connection record for the underlying transport-layer session/flow.
:encryption_method: The 32-bit integer representing the encryption method used in the connection.
:encryption_level: The 32-bit integer representing the encryption level used in the connection.

16
doc/scripts/base/bif/plugins/Bro_RDP.types.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_RDP.types.bif.bro
======================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: RDP
:Namespaces: GLOBAL, RDP
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

116
doc/scripts/base/bif/plugins/Bro_RFB.events.bif.bro.rst Normal file
View file

@ -0,0 +1,116 @@
:tocdepth: 3
base/bif/plugins/Bro_RFB.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================== ==========================================================
:bro:id:`rfb_auth_result`: :bro:type:`event` Generated for RFB event authentication result message
:bro:id:`rfb_authentication_type`: :bro:type:`event` Generated for RFB event authentication mechanism selection
:bro:id:`rfb_client_version`: :bro:type:`event` Generated for RFB event client banner message
:bro:id:`rfb_event`: :bro:type:`event` Generated for RFB event
:bro:id:`rfb_server_parameters`: :bro:type:`event` Generated for RFB event server parameter message
:bro:id:`rfb_server_version`: :bro:type:`event` Generated for RFB event server banner message
:bro:id:`rfb_share_flag`: :bro:type:`event` Generated for RFB event share flag messages
==================================================== ==========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: rfb_auth_result
:Type: :bro:type:`event` (c: :bro:type:`connection`, result: :bro:type:`bool`)
Generated for RFB event authentication result message
:c: The connection record for the underlying transport-layer session/flow.
:result: whether or not authentication was succesful
.. bro:id:: rfb_authentication_type
:Type: :bro:type:`event` (c: :bro:type:`connection`, authtype: :bro:type:`count`)
Generated for RFB event authentication mechanism selection
:c: The connection record for the underlying transport-layer session/flow.
:authtype: the value of the chosen authentication mechanism
.. bro:id:: rfb_client_version
:Type: :bro:type:`event` (c: :bro:type:`connection`, major_version: :bro:type:`string`, minor_version: :bro:type:`string`)
Generated for RFB event client banner message
:c: The connection record for the underlying transport-layer session/flow.
:version: of the client's rfb library
.. bro:id:: rfb_event
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Generated for RFB event
:c: The connection record for the underlying transport-layer session/flow.
.. bro:id:: rfb_server_parameters
:Type: :bro:type:`event` (c: :bro:type:`connection`, name: :bro:type:`string`, width: :bro:type:`count`, height: :bro:type:`count`)
Generated for RFB event server parameter message
:c: The connection record for the underlying transport-layer session/flow.
:name: name of the shared screen
:width: width of the shared screen
:height: height of the shared screen
.. bro:id:: rfb_server_version
:Type: :bro:type:`event` (c: :bro:type:`connection`, major_version: :bro:type:`string`, minor_version: :bro:type:`string`)
Generated for RFB event server banner message
:c: The connection record for the underlying transport-layer session/flow.
:version: of the server's rfb library
.. bro:id:: rfb_share_flag
:Type: :bro:type:`event` (c: :bro:type:`connection`, flag: :bro:type:`bool`)
Generated for RFB event share flag messages
:c: The connection record for the underlying transport-layer session/flow.
:flag: whether or not the share flag was set

1281
doc/scripts/base/bif/plugins/Bro_RPC.events.bif.bro.rst Normal file
View file

File diff suppressed because it is too large Load diff

16
doc/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Bro_RawReader.raw.bif.bro
==========================================
.. bro:namespace:: GLOBAL
.. bro:namespace:: InputRaw
:Namespaces: GLOBAL, InputRaw
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

157
doc/scripts/base/bif/plugins/Bro_SIP.events.bif.bro.rst Normal file
View file

@ -0,0 +1,157 @@
:tocdepth: 3
base/bif/plugins/Bro_SIP.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================= ==========================================================================================================
:bro:id:`sip_all_headers`: :bro:type:`event` Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder.
:bro:id:`sip_begin_entity`: :bro:type:`event` Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message.
:bro:id:`sip_end_entity`: :bro:type:`event` Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message.
:bro:id:`sip_header`: :bro:type:`event` Generated for each :abbr:`SIP (Session Initiation Protocol)` header.
:bro:id:`sip_reply`: :bro:type:`event` Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP).
:bro:id:`sip_request`: :bro:type:`event` Generated for :abbr:`SIP (Session Initiation Protocol)` requests, used in Voice over IP (VoIP).
============================================= ==========================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: sip_all_headers
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, hlist: :bro:type:`mime_header_list`)
Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:c: The connection.
:is_orig: Whether the headers came from the originator.
:hlist: All the headers, and their values
.. bro:see:: sip_request sip_reply sip_header sip_begin_entity sip_end_entity
.. bro:id:: sip_begin_entity
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message.
This event is generated as soon as a message's initial line has been parsed.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:c: The connection.
:is_orig: Whether the message came from the originator.
.. bro:see:: sip_request sip_reply sip_header sip_all_headers sip_end_entity
.. bro:id:: sip_end_entity
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:c: The connection.
:is_orig: Whether the message came from the originator.
.. bro:see:: sip_request sip_reply sip_header sip_all_headers sip_begin_entity
.. bro:id:: sip_header
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, name: :bro:type:`string`, value: :bro:type:`string`)
Generated for each :abbr:`SIP (Session Initiation Protocol)` header.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:c: The connection.
:is_orig: Whether the header came from the originator.
:name: Header name.
:value: Header value.
.. bro:see:: sip_request sip_reply sip_all_headers sip_begin_entity sip_end_entity
.. bro:id:: sip_reply
:Type: :bro:type:`event` (c: :bro:type:`connection`, version: :bro:type:`string`, code: :bro:type:`count`, reason: :bro:type:`string`)
Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP).
This event is generated as soon as a reply's initial line has been parsed.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:c: The connection.
:version: The :abbr:`SIP (Session Initiation Protocol)` version in use.
:code: The response code.
:reason: Textual details for the response code.
.. bro:see:: sip_request sip_header sip_all_headers sip_begin_entity sip_end_entity
.. bro:id:: sip_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, method: :bro:type:`string`, original_URI: :bro:type:`string`, version: :bro:type:`string`)
Generated for :abbr:`SIP (Session Initiation Protocol)` requests, used in Voice over IP (VoIP).
This event is generated as soon as a request's initial line has been parsed.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:c: The connection.
:method: The :abbr:`SIP (Session Initiation Protocol)` method extracted from the request (e.g., ``REGISTER``, ``NOTIFY``).
:original_URI: The unprocessed URI as specified in the request.
:version: The version number specified in the request (e.g., ``2.0``).
.. bro:see:: sip_reply sip_header sip_all_headers sip_begin_entity sip_end_entity

15
doc/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.consts.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

39
doc/scripts/base/bif/plugins/Bro_SMB.events.bif.bro.rst Normal file
View file

@ -0,0 +1,39 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================= ===================================================================
:bro:id:`smb_pipe_connect_heuristic`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)` connections when a
named pipe has been detected heuristically.
======================================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb_pipe_connect_heuristic
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Generated for :abbr:`SMB (Server Message Block)` connections when a
named pipe has been detected heuristically. The case when this comes
up is when the drive mapping isn't seen so the analyzer is not able
to determine whether to send the data to the files framework or to
the DCE_RPC analyzer. This heuristic can be tuned by adding or
removing "named pipe" names from the :bro:see:`SMB::pipe_filenames`
const.
:c: The connection.

65
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro.rst Normal file
View file

@ -0,0 +1,65 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro
=========================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================== ===========================================================================================
:bro:id:`smb1_check_directory_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *check directory*.
:bro:id:`smb1_check_directory_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *check directory*.
========================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_check_directory_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, directory_name: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *check directory*. This is used by the client to verify that
a specified path resolves to a valid directory on the server.
For more information, see MS-CIFS:2.2.4.17
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:directory_name: The directory name to check for existence.
.. bro:see:: smb1_message smb1_check_directory_response
.. bro:id:: smb1_check_directory_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *check directory*. This is the server response to the
*check directory* request.
For more information, see MS-CIFS:2.2.4.17
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
.. bro:see:: smb1_message smb1_check_directory_request

45
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro.rst Normal file
View file

@ -0,0 +1,45 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro
===============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ===========================================================================================
:bro:id:`smb1_close_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *close*.
=============================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_close_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, file_id: :bro:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *close*. This is used by the client to close an instance of an object
associated with a valid file ID.
For more information, see MS-CIFS:2.2.4.5
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:file_id: The file identifier being closed.
.. bro:see:: smb1_message

67
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro.rst Normal file
View file

@ -0,0 +1,67 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro
==========================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================================== ===========================================================================================
:bro:id:`smb1_create_directory_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *create directory*.
:bro:id:`smb1_create_directory_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *create directory*.
=========================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_create_directory_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, directory_name: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *create directory*. This is a deprecated command which
has been replaced by the *trans2_create_directory* subcommand. This is used by the client to
create a new directory on the server, relative to a connected share.
For more information, see MS-CIFS:2.2.4.1
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:directory_name: The name of the directory to create.
.. bro:see:: smb1_message smb1_create_directory_response smb1_transaction2_request
.. bro:id:: smb1_create_directory_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *create directory*. This is a deprecated command which
has been replaced by the *trans2_create_directory* subcommand. This is the server response
to the *create directory* request.
For more information, see MS-CIFS:2.2.4.1
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
.. bro:see:: smb1_message smb1_create_directory_request smb1_transaction2_request

73
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro.rst Normal file
View file

@ -0,0 +1,73 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro
==============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ===========================================================================================
:bro:id:`smb1_echo_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *echo*.
:bro:id:`smb1_echo_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *echo*.
=============================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_echo_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, echo_count: :bro:type:`count`, data: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *echo*. This is sent by the client to test the transport layer
connection with the server.
For more information, see MS-CIFS:2.2.4.39
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:echo_count: The number of times the server should echo the data back.
:data: The data for the server to echo.
.. bro:see:: smb1_message smb1_echo_response
.. bro:id:: smb1_echo_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, seq_num: :bro:type:`count`, data: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *echo*. This is the server response to the *echo* request.
For more information, see MS-CIFS:2.2.4.39
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:seq_num: The sequence number of this echo reply.
:data: The data echoed back from the client.
.. bro:see:: smb1_message smb1_echo_request

44
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro.rst Normal file
View file

@ -0,0 +1,44 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro
=====================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================= ===========================================================================================
:bro:id:`smb1_logoff_andx`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *logoff andx*.
============================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_logoff_andx
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *logoff andx*. This is used by the client to logoff the user
connection represented by UID in the SMB Header. The server releases all locks and closes
all files currently open by this user, disconnects all tree connects, cancels any outstanding
requests for this UID, and invalidates the UID.
For more information, see MS-CIFS:2.2.4.54
:c: The connection.
:is_orig: Indicates which host sent the logoff message.
.. bro:see:: smb1_message

69
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro.rst Normal file
View file

@ -0,0 +1,69 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro
===================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================== ===========================================================================================
:bro:id:`smb1_negotiate_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *negotiate*.
:bro:id:`smb1_negotiate_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *negotiate*.
==================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_negotiate_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, dialects: :bro:type:`string_vec`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *negotiate*. This is sent by the client to initiate an SMB
connection between the client and the server. A *negotiate* exchange MUST be completed
before any other SMB messages are sent to the server.
For more information, see MS-CIFS:2.2.4.52
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:dialects: The SMB dialects supported by the client.
.. bro:see:: smb1_message smb1_negotiate_response
.. bro:id:: smb1_negotiate_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, response: :bro:type:`SMB1::NegotiateResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *negotiate*. This is the server response to the *negotiate*
request.
For more information, see MS-CIFS:2.2.4.52
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:response: A record structure containing more information from the response.
.. bro:see:: smb1_message smb1_negotiate_request

42
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro.rst Normal file
View file

@ -0,0 +1,42 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro
===================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=================================================== ===========================================================================================
:bro:id:`smb1_nt_cancel_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt cancel*.
=================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_nt_cancel_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt cancel*. This is sent by the client to request that a currently
pending request be cancelled.
For more information, see MS-CIFS:2.2.4.65
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
.. bro:see:: smb1_message

75
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro.rst Normal file
View file

@ -0,0 +1,75 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro
========================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================= ===========================================================================================
:bro:id:`smb1_nt_create_andx_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt create andx*.
:bro:id:`smb1_nt_create_andx_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *nt create andx*.
========================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_nt_create_andx_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, file_name: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt create andx*. This is sent by the client to create and open
a new file, or to open an existing file, or to open and truncate an existing file to zero
length, or to create a directory, or to create a connection to a named pipe.
For more information, see MS-CIFS:2.2.4.64
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:name: The ``name`` attribute specified in the message.
.. bro:see:: smb1_message smb1_nt_create_andx_response
.. bro:id:: smb1_nt_create_andx_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, file_id: :bro:type:`count`, file_size: :bro:type:`count`, times: :bro:type:`SMB::MACTimes`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *nt create andx*. This is the server response to the
*nt create andx* request.
For more information, see MS-CIFS:2.2.4.64
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:file_id: The SMB2 GUID for the file.
:file_size: Size of the file.
:times: Timestamps associated with the file in question.
.. bro:see:: smb1_message smb1_nt_create_andx_request

46
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro.rst Normal file
View file

@ -0,0 +1,46 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro
===========================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================================== ===========================================================================================
:bro:id:`smb1_query_information_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *query information*.
=========================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_query_information_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, filename: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *query information*. This is a deprecated command which
has been replaced by the *trans2_query_path_information* subcommand. This is used by the
client to obtain attribute information about a file.
For more information, see MS-CIFS:2.2.4.9
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:filename: The filename that the client is querying.
.. bro:see:: smb1_message smb1_transaction2_request

74
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro.rst Normal file
View file

@ -0,0 +1,74 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro
===================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================== ===========================================================================================
:bro:id:`smb1_read_andx_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *read andx*.
:bro:id:`smb1_read_andx_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *read andx*.
==================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_read_andx_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, file_id: :bro:type:`count`, offset: :bro:type:`count`, length: :bro:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *read andx*. This is sent by the client to read bytes from a regular
file, a named pipe, or a directly accessible device such as a serial port (COM) or printer
port (LPT).
For more information, see MS-CIFS:2.2.4.42
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:file_id: The file identifier being written to.
:offset: The byte offset the requested read begins at.
:length: The number of bytes being requested.
.. bro:see:: smb1_message smb1_read_andx_response
.. bro:id:: smb1_read_andx_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, data_len: :bro:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *read andx*. This is the server response to the *read andx* request.
For more information, see MS-CIFS:2.2.4.42
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:data_len: The length of data from the requested file.
.. bro:see:: smb1_message smb1_read_andx_request

66
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro.rst Normal file
View file

@ -0,0 +1,66 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro
============================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================= ===========================================================================================
:bro:id:`smb1_session_setup_andx_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *setup andx*.
:bro:id:`smb1_session_setup_andx_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *setup andx*.
============================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_session_setup_andx_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, request: :bro:type:`SMB1::SessionSetupAndXRequest`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *setup andx*. This is sent by the client to configure an SMB session.
For more information, see MS-CIFS:2.2.4.53
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:request: The parsed request data of the SMB message. See init-bare for more details.
.. bro:see:: smb1_message smb1_session_setup_andx_response
.. bro:id:: smb1_session_setup_andx_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, response: :bro:type:`SMB1::SessionSetupAndXResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *setup andx*. This is the server response to the *setup andx* request.
For more information, see MS-CIFS:2.2.4.53
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:response: The parsed response data of the SMB message. See init-bare for more details.
.. bro:see:: smb1_message smb1_session_setup_andx_request

81
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro.rst Normal file
View file

@ -0,0 +1,81 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro
=====================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================== ===========================================================================================
:bro:id:`smb1_transaction_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction*.
:bro:id:`smb1_transaction_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction*.
====================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_transaction_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, name: :bro:type:`string`, sub_cmd: :bro:type:`count`, parameters: :bro:type:`string`, data: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction*. This command serves as the transport for the
Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
which are interprocess communication endpoints within the CIFS file system.
For more information, see MS-CIFS:2.2.4.33.1
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:name: A name string that MAY identify the resource (a specific Mailslot or Named Pipe)
against which the operation is performed.
:sub_cmd: The sub command, some may be parsed and have their own events.
:parameters: content of the SMB_Data.Trans_Parameters field
:data: content of the SMB_Data.Trans_Data field
.. bro:see:: smb1_message smb1_transaction2_request
.. bro:id:: smb1_transaction_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, parameters: :bro:type:`string`, data: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction*. This command serves as the transport for the
Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
which are interprocess communication endpoints within the CIFS file system.
For more information, see MS-CIFS:2.2.4.33.2
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:parameters: content of the SMB_Data.Trans_Parameters field
:data: content of the SMB_Data.Trans_Data field

122
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro.rst Normal file
View file

@ -0,0 +1,122 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro
======================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================================= ===========================================================================================
:bro:id:`smb1_trans2_find_first2_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *find first2*.
:bro:id:`smb1_trans2_get_dfs_referral_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *get DFS referral*.
:bro:id:`smb1_trans2_query_path_info_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *query path info*.
:bro:id:`smb1_transaction2_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction2*.
================================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_trans2_find_first2_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, args: :bro:type:`SMB1::Find_First2_Request_Args`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin
a search for file(s) within a directory or for a directory
For more information, see MS-CIFS:2.2.6.2
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:args: A record data structure with arguments given to the command.
.. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request
smb1_trans2_get_dfs_referral_request
.. bro:id:: smb1_trans2_get_dfs_referral_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, file_name: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *get DFS referral*. This transaction is used
to request a referral for a disk object in DFS.
For more information, see MS-CIFS:2.2.6.16
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:file_name: File name the request is in reference to.
.. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
smb1_trans2_query_path_info_request
.. bro:id:: smb1_trans2_query_path_info_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, file_name: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *query path info*. This transaction is used to
get information about a specific file or directory.
For more information, see MS-CIFS:2.2.6.6
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:file_name: File name the request is in reference to.
.. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
smb1_trans2_get_dfs_referral_request
.. bro:id:: smb1_transaction2_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, args: :bro:type:`SMB1::Trans2_Args`, sub_cmd: :bro:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction2*. This command serves as the transport for the
Transaction2 Subprotocol Commands. These commands operate on mailslots and named pipes,
which are interprocess communication endpoints within the CIFS file system. Compared to the
Transaction Subprotocol Commands, these commands allow clients to set and retrieve Extended
Attribute key/value pairs, make use of long file names (longer than the original 8.3 format
names), and perform directory searches, among other tasks.
For more information, see MS-CIFS:2.2.4.46
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:sub_cmd: The sub command, some are parsed and have their own events.
.. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request
smb1_trans2_get_dfs_referral_request smb1_transaction_request

49
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro.rst Normal file
View file

@ -0,0 +1,49 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
================================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================================ ===========================================================================================
:bro:id:`smb1_transaction2_secondary_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction2 secondary*.
================================================================ ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_transaction2_secondary_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, args: :bro:type:`SMB1::Trans2_Sec_Args`, parameters: :bro:type:`string`, data: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction2 secondary*.
For more information, see MS-CIFS:2.2.4.47.1
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)`
version 1 message.
:args: arguments of the message (SMB_Parameters.Words)
:parameters: content of the SMB_Data.Trans_Parameters field
:data: content of the SMB_Data.Trans_Data field

48
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro.rst Normal file
View file

@ -0,0 +1,48 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro
===============================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================================== ===========================================================================================
:bro:id:`smb1_transaction_secondary_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction_secondary*.
=============================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_transaction_secondary_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, args: :bro:type:`SMB1::Trans_Sec_Args`, parameters: :bro:type:`string`, data: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction_secondary*. This command
serves as an additional request data container for the
Transaction Subprotocol Commands (carried by *transaction* requests).
For more information, see MS-CIFS:2.2.4.34
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:parameters: the SMB_Data.Trans_Parameters field content
:data: the SMB_Data.Trans_Data field content

74
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro.rst Normal file
View file

@ -0,0 +1,74 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
===========================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================ ===========================================================================================
:bro:id:`smb1_tree_connect_andx_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *tree connect andx*.
:bro:id:`smb1_tree_connect_andx_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *tree connect andx*.
============================================================ ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_tree_connect_andx_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, path: :bro:type:`string`, service: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *tree connect andx*. This is sent by the client to establish a
connection to a server share.
For more information, see MS-CIFS:2.2.4.55
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:path: The ``path`` attribute specified in the message.
:service: The ``service`` attribute specified in the message.
.. bro:see:: smb1_message smb1_tree_connect_andx_response
.. bro:id:: smb1_tree_connect_andx_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, service: :bro:type:`string`, native_file_system: :bro:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *tree connect andx*. This is the server reply to the *tree connect andx*
request.
For more information, see MS-CIFS:2.2.4.55
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:service: The ``service`` attribute specified in the message.
:native_file_system: The file system of the remote server as indicate by the server.
.. bro:see:: smb1_message smb1_tree_connect_andx_request

45
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro.rst Normal file
View file

@ -0,0 +1,45 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro
=========================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================= ===========================================================================================
:bro:id:`smb1_tree_disconnect`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *tree disconnect*.
================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_tree_disconnect
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, is_orig: :bro:type:`bool`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *tree disconnect*. This is sent by the client to logically disconnect
client access to a server resource.
For more information, see MS-CIFS:2.2.4.51
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:is_orig: True if the message was from the originator.
.. bro:see:: smb1_message

72
doc/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro.rst Normal file
View file

@ -0,0 +1,72 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro
====================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
===================================================== ===========================================================================================
:bro:id:`smb1_write_andx_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *write andx*.
:bro:id:`smb1_write_andx_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *write andx*.
===================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_write_andx_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, file_id: :bro:type:`count`, offset: :bro:type:`count`, data_len: :bro:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *write andx*. This is sent by the client to write bytes to a
regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM)
or printer port (LPT).
For more information, see MS-CIFS:2.2.4.43
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:offset: The byte offset into the referenced file data is being written.
:data: The data being written.
.. bro:see:: smb1_message smb1_write_andx_response
.. bro:id:: smb1_write_andx_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, written_bytes: :bro:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *write andx*. This is the server response to the *write andx*
request.
For more information, see MS-CIFS:2.2.4.43
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:written_bytes: The number of bytes the server reported having actually written.
.. bro:see:: smb1_message smb1_write_andx_request

86
doc/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro.rst Normal file
View file

@ -0,0 +1,86 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb1_events.bif.bro
============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================ =========================================================================================================
:bro:id:`smb1_empty_response`: :bro:type:`event` Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body.
:bro:id:`smb1_error`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)` version 1 messages
that indicate an error.
:bro:id:`smb1_message`: :bro:type:`event` Generated for all :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` version 1
messages.
================================================ =========================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb1_empty_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`)
Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body.
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message.
.. bro:see:: smb1_message
.. bro:id:: smb1_error
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, is_orig: :bro:type:`bool`)
Generated for :abbr:`SMB (Server Message Block)` version 1 messages
that indicate an error. This event is triggered by an :abbr:`SMB (Server Message Block)` header
including a status that signals an error.
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message.
:is_orig: True if the message was sent by the originator of the underlying
transport-level connection.
.. bro:see:: smb1_message
.. bro:id:: smb1_message
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB1::Header`, is_orig: :bro:type:`bool`)
Generated for all :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` version 1
messages.
See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
:abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
:abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:is_orig: True if the message was sent by the originator of the underlying
transport-level connection.
.. bro:see:: smb2_message

68
doc/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro.rst Normal file
View file

@ -0,0 +1,68 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro
===============================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================ ===========================================================================================
:bro:id:`smb2_close_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *close*.
:bro:id:`smb2_close_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *close*.
================================================ ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb2_close_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB2::Header`, file_id: :bro:type:`SMB2::GUID`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *close*. This is used by the client to close an instance of a
file that was opened previously with a successful SMB2 CREATE Request.
For more information, see MS-SMB2:2.2.15
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:file_name: The SMB2 GUID of the file being closed.
.. bro:see:: smb2_message smb2_close_response
.. bro:id:: smb2_close_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB2::Header`, response: :bro:type:`SMB2::CloseResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *close*. This is sent by the server to indicate that an SMB2 CLOSE
request was processed successfully.
For more information, see MS-SMB2:2.2.16
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:response: A record of attributes returned from the server from the close.
.. bro:see:: smb2_message smb2_close_request

68
doc/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro.rst Normal file
View file

@ -0,0 +1,68 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro
================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================= ===========================================================================================
:bro:id:`smb2_create_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *create*.
:bro:id:`smb2_create_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *create*.
================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb2_create_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB2::Header`, request: :bro:type:`SMB2::CreateRequest`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *create*. This is sent by the client to request either creation
of or access to a file.
For more information, see MS-SMB2:2.2.13
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:request: A record with more information related to the request.
.. bro:see:: smb2_message smb2_create_response
.. bro:id:: smb2_create_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB2::Header`, response: :bro:type:`SMB2::CreateResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *create*. This is sent by the server to notify the client of
the status of its SMB2 CREATE request.
For more information, see MS-SMB2:2.2.14
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:response: A record with more information related to the response.
.. bro:see:: smb2_message smb2_create_request

68
doc/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro.rst Normal file
View file

@ -0,0 +1,68 @@
:tocdepth: 3
base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro
===================================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================== ===========================================================================================
:bro:id:`smb2_negotiate_request`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *negotiate*.
:bro:id:`smb2_negotiate_response`: :bro:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *negotiate*.
==================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb2_negotiate_request
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB2::Header`, dialects: :bro:type:`index_vec`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *negotiate*. This is used by the client to notify the server what
dialects of the SMB2 Protocol the client understands.
For more information, see MS-SMB2:2.2.3
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:dialects: A vector of the client's supported dialects.
.. bro:see:: smb2_message smb2_negotiate_response
.. bro:id:: smb2_negotiate_response
:Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`SMB2::Header`, response: :bro:type:`SMB2::NegotiateResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *negotiate*. This is sent by the server to notify the client of
the preferred common dialect.
For more information, see MS-SMB2:2.2.4
:c: The connection.
:hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:response: The negotiate response data structure.
.. bro:see:: smb2_message smb2_negotiate_request

Some files were not shown because too many files have changed in this diff Show more