diff --git a/CHANGES b/CHANGES index 429184c9fd..7dbe6fb680 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,14 @@ +2.0-614 | 2012-06-15 15:19:49 -0700 + + * Remove an old, unused diff canonifier. (Jon Siwek) + + * Improve an error message in ICMP analyzer. (Jon Siwek) + + * Fix a warning message when building docs. (Daniel Thayer) + + * Fix many errors in the event documentation. (Daniel Thayer) + 2.0-608 | 2012-06-11 15:59:00 -0700 * Add more error handling code to logging of enum vals. Addresses diff --git a/VERSION b/VERSION index c6723b4d6c..fde6b874d8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0-608 +2.0-614 diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro index b9b15bfd22..ceae357f78 100644 --- a/scripts/base/frameworks/communication/main.bro +++ b/scripts/base/frameworks/communication/main.bro @@ -11,7 +11,8 @@ export { ## The communication logging stream identifier. redef enum Log::ID += { LOG }; - ## Which interface to listen on (``0.0.0.0`` or ``[::]`` are wildcards). + ## Which interface to listen on. The addresses ``0.0.0.0`` and ``[::]`` + ## are wildcards. const listen_interface = 0.0.0.0 &redef; ## Which port to listen on. diff --git a/src/ICMP.cc b/src/ICMP.cc index b06c6440e1..b8ddb8a292 100644 --- a/src/ICMP.cc +++ b/src/ICMP.cc @@ -64,7 +64,8 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data, break; default: - reporter->InternalError("unexpected IP proto in ICMP analyzer"); + reporter->InternalError("unexpected IP proto in ICMP analyzer: %d", + ip->NextProto()); break; } diff --git a/src/event.bif b/src/event.bif index af2381ecf6..d0418c42c9 100644 --- a/src/event.bif +++ b/src/event.bif @@ -10,7 +10,7 @@ # # - List parameters with an empty line in between. # -# - Within the description, reference other parameters of the same events +# - Within the description, reference other parameters of the same event # as *arg*. # # - Order: @@ -31,17 +31,18 @@ ## Generated at Bro initialization time. The event engine generates this ## event just before normal input processing begins. It can be used to execute ## one-time initialization code at startup. At the time a handler runs, Bro will -## have executed any global initializations and statements. +## have executed any global initializations and statements. ## ## .. bro:see:: bro_done ## ## .. note:: ## -## When a ``bro_init`` handler executes, Bro has not yet seen any input packets -## and therefore :bro:id:`network_time` is not initialized yet. An artifact -## of that is that any timer installed in a ``bro_init`` handler will fire -## immediately with the first packet. The standard way to work around that is to -## ignore the first time the timer fires and immediately reschedule. +## When a ``bro_init`` handler executes, Bro has not yet seen any input +## packets and therefore :bro:id:`network_time` is not initialized yet. An +## artifact of that is that any timer installed in a ``bro_init`` handler +## will fire immediately with the first packet. The standard way to work +## around that is to ignore the first time the timer fires and immediately +## reschedule. ## event bro_init%(%); @@ -54,13 +55,13 @@ event bro_init%(%); ## ## .. note:: ## -## If Bro terminates due to an invocation of :bro:id:`exit`, then this event is -## not generated. +## If Bro terminates due to an invocation of :bro:id:`exit`, then this event +## is not generated. event bro_done%(%); -## Generated when an internal DNS lookup reduces the same result as last time. +## Generated when an internal DNS lookup produces the same result as last time. ## Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when subsequent lookup returns +## already resolved. This event is generated when a subsequent lookup returns ## the same result as stored in the cache. ## ## dm: A record describing the new resolver result (which matches the old one). @@ -69,10 +70,11 @@ event bro_done%(%); ## dns_mapping_unverified event dns_mapping_valid%(dm: dns_mapping%); -## Generated when an internal DNS lookup got no answer even though it had succeeded he -## past. Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when a subsequent lookup does not -## produce an answer even though we have already stored a result in the cache. +## Generated when an internal DNS lookup got no answer even though it had +## succeeded in the past. Bro keeps an internal DNS cache for host names and IP +## addresses it has already resolved. This event is generated when a +## subsequent lookup does not produce an answer even though we have +## already stored a result in the cache. ## ## dm: A record describing the old resolver result. ## @@ -80,8 +82,8 @@ event dns_mapping_valid%(dm: dns_mapping%); ## dns_mapping_valid event dns_mapping_unverified%(dm: dns_mapping%); -## Generated when an internal DNS lookup succeeed but an earlier attempt not. had -## had succeeded he past. Bro keeps an internal DNS cache for host names and IP +## Generated when an internal DNS lookup succeeded but an earlier attempt +## did not. Bro keeps an internal DNS cache for host names and IP ## addresses it has already resolved. This event is generated when a subsequent ## lookup produces an answer for a query that was marked as failed in the cache. ## @@ -92,10 +94,10 @@ event dns_mapping_unverified%(dm: dns_mapping%); event dns_mapping_new_name%(dm: dns_mapping%); ## Generated when an internal DNS lookup returned zero answers even though it -## had succeeded he past. Bro keeps an internal DNS cache for host names and IP -## addresses it has already resolved. This event is generated when for a subsequent -## lookup we received answer that however was empty even though we have -## already stored a result in the cache. +## had succeeded in the past. Bro keeps an internal DNS cache for host names +## and IP addresses it has already resolved. This event is generated when +## on a subsequent lookup we receive an answer that is empty even +## though we have already stored a result in the cache. ## ## dm: A record describing the old resolver result. ## @@ -104,26 +106,26 @@ event dns_mapping_new_name%(dm: dns_mapping%); event dns_mapping_lost_name%(dm: dns_mapping%); ## Generated when an internal DNS lookup produced a different result than in -## past. Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when a subsequent lookup returns -## a different answer than we have stored in the cache. +## the past. Bro keeps an internal DNS cache for host names and IP addresses +## it has already resolved. This event is generated when a subsequent lookup +## returns a different answer than we have stored in the cache. ## ## dm: A record describing the new resolver result. ## ## old_addrs: Addresses that used to be part of the returned set for the query ## described by *dm*, but are not anymore. ## -## new_addrs: Addresses that did not use to be part of the returned set for the -## query described by *dm*, but now are. +## new_addrs: Addresses that were not part of the returned set for the query +## described by *dm*, but now are. ## ## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); -## Generated for every new connection. The event is raised with the first packet -## of a previously unknown connection. Bro uses a flow-based definition of -## "connection" here that includes not only TCP sessions but also UDP and ICMP -## flows. +## Generated for every new connection. This event is raised with the first +## packet of a previously unknown connection. Bro uses a flow-based definition +## of "connection" here that includes not only TCP sessions but also UDP and +## ICMP flows. ## ## c: The connection. ## @@ -141,7 +143,7 @@ event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr ## event. event new_connection%(c: connection%); -## Generated when reassembly starts for a TCP connection. The event is raised +## Generated when reassembly starts for a TCP connection. This event is raised ## at the moment when Bro's TCP analyzer enables stream reassembly for a ## connection. ## @@ -155,11 +157,11 @@ event new_connection%(c: connection%); ## expected_connection_seen new_connection partial_connection event new_connection_contents%(c: connection%); -## Generated for an unsuccessful connection attempt. The event is raised when an -## originator unsuccessfully attempted to establish a connection. "Unsuccessful" -## is defined as at least :bro:id:`tcp_attempt_delay` seconds having elapsed since -## the originator first sent a connection establishment packet to the destination -## without seeing a reply. +## Generated for an unsuccessful connection attempt. This event is raised when +## an originator unsuccessfully attempted to establish a connection. +## "Unsuccessful" is defined as at least :bro:id:`tcp_attempt_delay` seconds +## having elapsed since the originator first sent a connection establishment +## packet to the destination without seeing a reply. ## ## c: The connection. ## @@ -171,7 +173,7 @@ event new_connection_contents%(c: connection%); ## new_connection new_connection_contents partial_connection event connection_attempt%(c: connection%); -## Generated when a SYN-ACK packet is seen in response to SYN a packet during +## Generated when a SYN-ACK packet is seen in response to a SYN packet during ## a TCP handshake. The final ACK of the handshake in response to SYN-ACK may ## or may not occur later, one way to tell is to check the *history* field of ## :bro:type:`connection` to see if the originator sent an ACK, indicated by @@ -188,8 +190,9 @@ event connection_attempt%(c: connection%); event connection_established%(c: connection%); ## Generated for a new active TCP connection if Bro did not see the initial -## handshake. The event is raised when Bro has observed traffic from each endpoint, -## but the activity did not begin with the usual connection establishment. +## handshake. This event is raised when Bro has observed traffic from each +## endpoint, but the activity did not begin with the usual connection +## establishment. ## ## c: The connection. ## @@ -202,11 +205,11 @@ event connection_established%(c: connection%); ## event partial_connection%(c: connection%); -## Generated when a previously inactive endpoint attempts to close a TCP connection -## via a normal FIN handshake or an abort RST sequence. When the endpoint sent -## one of these packets, Bro waits :bro:id:`tcp_partial_close_delay` prior -## to generating the event, to give the other endpoint a chance to close the -## connection normally. +## Generated when a previously inactive endpoint attempts to close a TCP +## connection via a normal FIN handshake or an abort RST sequence. When the +## endpoint sent one of these packets, Bro waits +## :bro:id:`tcp_partial_close_delay` prior to generating the event, to give +## the other endpoint a chance to close the connection normally. ## ## c: The connection. ## @@ -245,9 +248,9 @@ event connection_finished%(c: connection%); ## new_connection new_connection_contents partial_connection event connection_half_finished%(c: connection%); -## Generated for a rejected TCP connection. The event is raised when an originator -## attempted to setup a TCP connection but the responder replied with a RST packet -## denying it. +## Generated for a rejected TCP connection. This event is raised when an +## originator attempted to setup a TCP connection but the responder replied +## with a RST packet denying it. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished @@ -261,9 +264,9 @@ event connection_half_finished%(c: connection%); ## .. note:: ## ## If the responder does not respond at all, :bro:id:`connection_attempt` is -## raised instead. If the responder initially accepts the connection but aborts -## it later, Bro first generates :bro:id:`connection_established` and then -## :bro:id:`connection_reset`. +## raised instead. If the responder initially accepts the connection but +## aborts it later, Bro first generates :bro:id:`connection_established` +## and then :bro:id:`connection_reset`. event connection_rejected%(c: connection%); ## Generated when an endpoint aborted a TCP connection. The event is raised @@ -296,9 +299,9 @@ event connection_pending%(c: connection%); ## Generated when a connection's internal state is about to be removed from ## memory. Bro generates this event reliably once for every connection when it ## is about to delete the internal state. As such, the event is well-suited for -## scrip-level cleanup that needs to be performed for every connection. The -## ``connection_state_remove`` event is generated not only for TCP sessions but -## also for UDP and ICMP flows. +## script-level cleanup that needs to be performed for every connection. This +## event is generated not only for TCP sessions but also for UDP and ICMP +## flows. ## ## c: The connection. ## @@ -311,8 +314,8 @@ event connection_pending%(c: connection%); ## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats event connection_state_remove%(c: connection%); -## Generated for a SYN packet. Bro raises this event for every SYN packet seen by -## its TCP analyzer. +## Generated for a SYN packet. Bro raises this event for every SYN packet seen +## by its TCP analyzer. ## ## c: The connection. ## @@ -327,14 +330,15 @@ event connection_state_remove%(c: connection%); ## ## .. note:: ## -## This event has quite low-level semantics and can potentially be expensive to -## generate. It should only be used if one really needs the specific information -## passed into the handler via the ``pkt`` argument. If not, handling one of the -## other ``connection_*`` events is typically the better approach. +## This event has quite low-level semantics and can potentially be expensive +## to generate. It should only be used if one really needs the specific +## information passed into the handler via the ``pkt`` argument. If not, +## handling one of the other ``connection_*`` events is typically the +## better approach. event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## Generated for the first ACK packet seen for a TCP connection from -## its *orginator*. +## its *originator*. ## ## c: The connection. ## @@ -350,10 +354,10 @@ event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## This event has quite low-level semantics and should be used only rarely. event connection_first_ACK%(c: connection%); -## Generated when a TCP connection timed out. This event is raised when no activity -## was seen for an interval of at least :bro:id:`tcp_connection_linger`, and -## either one endpoint has already closed the connection or one side never -## never became active. +## Generated when a TCP connection timed out. This event is raised when +## no activity was seen for an interval of at least +## :bro:id:`tcp_connection_linger`, and either one endpoint has already +## closed the connection or one side never became active. ## ## c: The connection. ## @@ -366,17 +370,17 @@ event connection_first_ACK%(c: connection%); ## ## .. note:: ## -## The precise semantics of this event can be unintuitive as it only +## The precise semantics of this event can be unintuitive as it only ## covers a subset of cases where a connection times out. Often, handling ## :bro:id:`connection_state_remove` is the better option. That one will be -## generated reliably when an interval of ``tcp_inactivity_timeout`` has passed -## with out any activity seen (but also for all other ways a connection may -## terminate). +## generated reliably when an interval of ``tcp_inactivity_timeout`` has +## passed without any activity seen (but also for all other ways a +## connection may terminate). event connection_timeout%(c: connection%); -## Generated when a connection 4-tuple is reused. The event is raised when Bro -## sees a new TCP session or UDP flow using a 4-tuple matching that of an earlier -## connection it still consideres active. +## Generated when a connection 4-tuple is reused. This event is raised when Bro +## sees a new TCP session or UDP flow using a 4-tuple matching that of an +## earlier connection it still considers active. ## ## c: The connection. ## @@ -388,8 +392,8 @@ event connection_timeout%(c: connection%); ## new_connection new_connection_contents partial_connection event connection_reused%(c: connection%); -## Generated in regular intervals during the life time of a connection. The -## events is raised each ``connection_status_update_interval`` seconds +## Generated in regular intervals during the lifetime of a connection. The +## event is raised each ``connection_status_update_interval`` seconds ## and can be used to check conditions on a regular basis. ## ## c: The connection. @@ -432,13 +436,17 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co ## new_connection new_connection_contents partial_connection event connection_EOF%(c: connection, is_orig: bool%); -## Generated for a new connection received from the communication subsystem. Remote -## peers can inject packets into Bro's packet loop, for example via :doc:`Broccoli -## `. The communication systems raises this event -## with the first packet of a connection coming in this way. +## Generated for a new connection received from the communication subsystem. +## Remote peers can inject packets into Bro's packet loop, for example via +## :doc:`Broccoli `. The communication system +## raises this event with the first packet of a connection coming in this way. +## +## c: The connection. +## +## tag: TODO. event connection_external%(c: connection, tag: string%); -## Generated when a connected is seen that has previously marked as being expected. +## Generated when a connection is seen that is marked as being expected. ## The function :bro:id:`expect_connection` tells Bro to expect a particular ## connection to come up, and which analyzer to associate with it. Once the ## first packet of such a connection is indeed seen, this event is raised. @@ -457,12 +465,12 @@ event connection_external%(c: connection, tag: string%); ## connection_state_remove connection_status_update connection_timeout ## new_connection new_connection_contents partial_connection ## -## .. todo: We don't have a good way to document the automatically generated +## .. todo:: We don't have a good way to document the automatically generated ## ``ANALYZER_*`` constants right now. event expected_connection_seen%(c: connection, a: count%); ## Generated for every packet Bro sees. This is a very low-level and expensive -## event that should be avoided when at all possible. Is's usually infeasible to +## event that should be avoided when at all possible. It's usually infeasible to ## handle when processing even medium volumes of traffic in real-time. That ## said, if you work from a trace and want to do some packet-level analysis, ## it may come in handy. @@ -475,7 +483,7 @@ event expected_connection_seen%(c: connection, a: count%); event new_packet%(c: connection, p: pkt_hdr%); ## Generated for every IPv6 packet that contains extension headers. -## This is potentially an expensive event to handle if analysiing IPv6 traffic +## This is potentially an expensive event to handle if analysing IPv6 traffic ## that happens to utilize extension headers frequently. ## ## c: The connection the packet is part of. @@ -500,26 +508,26 @@ event esp_packet%(p: pkt_hdr%); ## .. bro:see:: new_packet tcp_packet ipv6_ext_headers event mobile_ipv6_message%(p: pkt_hdr%); -## Generated for every packet that has non-empty transport-layer payload. This is a -## very low-level and expensive event that should be avoided when at all possible. -## It's usually infeasible to handle when processing even medium volumes of -## traffic in real-time. It's even worse than :bro:id:`new_packet`. That said, if -## you work from a trace and want to do some packet-level analysis, it may come in -## handy. +## Generated for every packet that has a non-empty transport-layer payload. +## This is a very low-level and expensive event that should be avoided when +## at all possible. It's usually infeasible to handle when processing even +## medium volumes of traffic in real-time. It's even worse than +## :bro:id:`new_packet`. That said, if you work from a trace and want to +## do some packet-level analysis, it may come in handy. ## ## c: The connection the packet is part of. ## -## contants: The raw transport-layer payload. +## contents: The raw transport-layer payload. ## ## .. bro:see:: new_packet tcp_packet event packet_contents%(c: connection, contents: string%); ## Generated for every TCP packet. This is a very low-level and expensive event -## that should be avoided when at all possible. It's usually infeasible to handle -## when processing even medium volumes of traffic in real-time. It's slightly -## better than :bro:id:`new_packet` because it affects only TCP, but not much. That -## said, if you work from a trace and want to do some packet-level analysis, it may -## come in handy. +## that should be avoided when at all possible. It's usually infeasible to +## handle when processing even medium volumes of traffic in real-time. It's +## slightly better than :bro:id:`new_packet` because it affects only TCP, but +## not much. That said, if you work from a trace and want to do some +## packet-level analysis, it may come in handy. ## ## c: The connection the packet is part of. ## @@ -535,8 +543,8 @@ event packet_contents%(c: connection, contents: string%); ## ## len: The length of the TCP payload, as specified in the packet header. ## -## payload: The raw TCP payload. Note that this may less than *len* if the packet -## was not fully captured. +## payload: The raw TCP payload. Note that this may be shorter than *len* if +## the packet was not fully captured. ## ## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); @@ -563,9 +571,9 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## :bro:id:`tcp_content_delivery_ports_resp`, ## :bro:id:`tcp_content_deliver_all_orig`, ## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk -## of in-order payload reconstructed from the packet stream. Note that this event -## is potentially expensive if many connections carry signficant amounts of data as -## then all that needs to be passed on to the scripting layer. +## of in-order payload reconstructed from the packet stream. Note that this +## event is potentially expensive if many connections carry significant amounts +## of data as then all that data needs to be passed on to the scripting layer. ## ## c: The connection the payload is part of. ## @@ -574,7 +582,7 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## seq: The sequence number corresponding to the first byte of the payload ## chunk. ## -## payload: The raw payload, which will be non-empty. +## contents: The raw payload, which will be non-empty. ## ## .. bro:see:: tcp_packet tcp_option tcp_rexmit ## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp @@ -590,13 +598,14 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## network-level effects such as latency, acknowledgements, reordering, etc. event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); -## Generated +## TODO. event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%); ## Generated when Bro detects a TCP retransmission inconsistency. When -## reassemling TCP stream, Bro buffers all payload until it seens the responder -## acking it. If during time, the sender resends a chunk of payload but with -## content than originally, this event will be raised. +## reassembling a TCP stream, Bro buffers all payload until it sees the +## responder acking it. If during that time, the sender resends a chunk of +## payload but with different content than originally, this event will be +## raised. ## ## c: The connection showing the inconsistency. ## @@ -607,7 +616,7 @@ event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_ ## .. bro:see:: tcp_rexmit tcp_contents event rexmit_inconsistency%(c: connection, t1: string, t2: string%); -## Generated when a TCP endpoint acknowledges payload that Bro did never see. +## Generated when a TCP endpoint acknowledges payload that Bro never saw. ## ## c: The connection. ## @@ -621,19 +630,19 @@ event rexmit_inconsistency%(c: connection, t1: string, t2: string%); ## (which isn't unheard of). In practice, one will always see a few of these ## events in any larger volume of network traffic. If there are lots of them, ## however, that typically means that there is a problem with the monitoring -## infrastructure such as a tap dropping packets, split routing on the path, or -## reordering at the tap. +## infrastructure such as a tap dropping packets, split routing on the path, +## or reordering at the tap. ## -## This event reports similar situations as :bro:id:`content_gap`, though their -## specifics differ slightly. Often, however, both will be raised for the same -## connection if some of its data is missing. We should eventually merge -## the two. +## This event reports similar situations as :bro:id:`content_gap`, though +## their specifics differ slightly. Often, however, both will be raised for +## the same connection if some of its data is missing. We should eventually +## merge the two. event ack_above_hole%(c: connection%); -## Generated when Bro detects a gap in a reassembled TCP payload stream. This event -## is raised when Bro, while reassemling a payload stream, determines that a chunk -## of payload is missing (e.g., because the responder has already acknowledged it, -## even though Bro didn't see it). +## Generated when Bro detects a gap in a reassembled TCP payload stream. This +## event is raised when Bro, while reassembling a payload stream, determines +## that a chunk of payload is missing (e.g., because the responder has already +## acknowledged it, even though Bro didn't see it). ## ## c: The connection. ## @@ -647,25 +656,26 @@ event ack_above_hole%(c: connection%); ## ## .. note:: ## -## Content gaps tend to occur occasionally for various reasons, including broken -## TCP stacks. If, however, one finds lots of them, that typically means that -## there is a problem with the monitoring infrastructure such as a tap dropping -## packets, split routing on the path, or reordering at the tap. +## Content gaps tend to occur occasionally for various reasons, including +## broken TCP stacks. If, however, one finds lots of them, that typically +## means that there is a problem with the monitoring infrastructure such as +## a tap dropping packets, split routing on the path, or reordering at the +## tap. ## ## This event reports similar situations as :bro:id:`ack_above_hole`, though ## their specifics differ slightly. Often, however, both will be raised for -## connection if some of its data is missing. We should eventually merge the -## two. +## a connection if some of its data is missing. We should eventually merge +## the two. event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); -## Summarizes the amount of missing TCP payload at regular intervals. Internally, -## Bro tracks (1) the number of :bro:id:`ack_above_hole` events, including the -## numer of bytes missing; and (2) the total number of TCP acks seen, with the -## total volume of bytes that have been acked. This event reports these statistics -## in :bro:id:`gap_report_freq` intervals for the purpose of determining packet -## loss. +## Summarizes the amount of missing TCP payload at regular intervals. +## Internally, Bro tracks (1) the number of :bro:id:`ack_above_hole` events, +## including the number of bytes missing; and (2) the total number of TCP +## acks seen, with the total volume of bytes that have been acked. This event +## reports these statistics in :bro:id:`gap_report_freq` intervals for the +## purpose of determining packet loss. ## -## dt: The time that has past since the last ``gap_report`` interval. +## dt: The time that has passed since the last ``gap_report`` interval. ## ## info: The gap statistics. ## @@ -673,17 +683,17 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); ## ## .. note:: ## -## Bro comes with a script :doc:`/scripts/policy/misc/capture-loss` that uses -## this event to estimate packet loss and report when a predefined threshold is -## exceeded. +## Bro comes with a script :doc:`/scripts/policy/misc/capture-loss` that uses +## this event to estimate packet loss and report when a predefined threshold +## is exceeded. event gap_report%(dt: interval, info: gap_info%); ## Generated when a protocol analyzer confirms that a connection is indeed ## using that protocol. Bro's dynamic protocol detection heuristically activates -## analyzers as soon as it believe a connection *could* be using a particular -## protocol. It is then left to the corresponding analyzer to verify whether that -## is indeed the case; if so, this event will be generated. +## analyzers as soon as it believes a connection *could* be using a particular +## protocol. It is then left to the corresponding analyzer to verify whether +## that is indeed the case; if so, this event will be generated. ## ## c: The connection. ## @@ -694,24 +704,24 @@ event gap_report%(dt: interval, info: gap_info%); ## ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can -## be used to reference the analyzer when using builtin functions like +## be used to reference the analyzer when using builtin functions like ## :bro:id:`disable_analyzer`. ## ## .. bro:see:: protocol_violation ## ## .. note:: ## -## Bro's default scripts use this event to determine the ``service`` column of -## :bro:type:`Conn::Info`: once confirmed, the protocol will be listed there -## (and thus in ``conn.log``). +## Bro's default scripts use this event to determine the ``service`` column +## of :bro:type:`Conn::Info`: once confirmed, the protocol will be listed +## there (and thus in ``conn.log``). event protocol_confirmation%(c: connection, atype: count, aid: count%); ## Generated when a protocol analyzer determines that a connection it is parsing -## is not conforming to the protocol it expects. Bro's dynamic protocol detection -## heuristically activates analyzers as soon as it believe a connection *could* be -## using a particular protocol. It is then left to the corresponding analyzer to -## verify whether that is indeed the case; if not, the analyzer will trigger this -## event. +## is not conforming to the protocol it expects. Bro's dynamic protocol +## detection heuristically activates analyzers as soon as it believes a +## connection *could* be using a particular protocol. It is then left to the +## corresponding analyzer to verify whether that is indeed the case; if not, +## the analyzer will trigger this event. ## ## c: The connection. ## @@ -722,20 +732,24 @@ event protocol_confirmation%(c: connection, atype: count, aid: count%); ## ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can -## be used to reference the analyzer when using builtin functions like +## be used to reference the analyzer when using builtin functions like ## :bro:id:`disable_analyzer`. ## +## reason: TODO. +## ## .. bro:see:: protocol_confirmation ## ## .. note:: ## ## Bro's default scripts use this event to disable an analyzer via -## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's however -## a script-level decision and not done automatically by the event eninge. +## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's +## however a script-level decision and not done automatically by the event +## engine. event protocol_violation%(c: connection, atype: count, aid: count, reason: string%); ## Generated for each packet sent by a UDP flow's originator. This a potentially -## expsensive event due to the volume of UDP traffic and should be used with care. +## expensive event due to the volume of UDP traffic and should be used with +## care. ## ## u: The connection record for the corresponding UDP flow. ## @@ -743,7 +757,8 @@ event protocol_violation%(c: connection, atype: count, aid: count, reason: strin event udp_request%(u: connection%); ## Generated for each packet sent by a UDP flow's responder. This a potentially -## expsensive event due to the volume of UDP traffic and should be used with care. +## expensive event due to the volume of UDP traffic and should be used with +## care. ## ## u: The connection record for the corresponding UDP flow. ## @@ -751,35 +766,40 @@ event udp_request%(u: connection%); event udp_reply%(u: connection%); ## Generated for UDP packets to pass on their payload. As the number of UDP -## packets can be very large, this event is normally raised only for those on -## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets sent -## by the flow's orgininator) or :bro:id:`udp_content_delivery_ports_resp` (for -## packets sent by the flow's responder). However, delivery can be enabled for all -## UDP request and reply packets by setting :bro:id:`udp_content_deliver_all_orig` -## or :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this event is -## also raised for all matching UDP packets, including empty ones. +## packets can be very large, this event is normally raised only for those on +## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets +## sent by the flow's originator) or :bro:id:`udp_content_delivery_ports_resp` +## (for packets sent by the flow's responder). However, delivery can be enabled +## for all UDP request and reply packets by setting +## :bro:id:`udp_content_deliver_all_orig` or +## :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this +## event is also raised for all matching UDP packets, including empty ones. ## ## u: The connection record for the corresponding UDP flow. ## ## is_orig: True if the event is raised for the originator side. ## +## contents: TODO. +## ## .. bro:see:: udp_reply udp_request udp_session_done ## udp_content_deliver_all_orig udp_content_deliver_all_resp ## udp_content_delivery_ports_orig udp_content_delivery_ports_resp event udp_contents%(u: connection, is_orig: bool, contents: string%); ## Generated when a UDP session for a supported protocol has finished. Some of -## Bro's application-layer UDP analyzers flag the end of a session by raising this -## event. Currently, the analyzers for DNS, NTP, Netbios, and Syslog support this. +## Bro's application-layer UDP analyzers flag the end of a session by raising +## this event. Currently, the analyzers for DNS, NTP, Netbios, and Syslog +## support this. ## ## u: The connection record for the corresponding UDP flow. ## ## .. bro:see:: udp_contents udp_reply udp_request event udp_session_done%(u: connection%); -## Generated for all ICMP messages that are not handled separately with dedicated -## ICMP events. Bro's ICMP analyzer handles a number of ICMP messages directly -## with dedicated events. This event acts as a fallback for those it doesn't. +## Generated for all ICMP messages that are not handled separately with +## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages +## directly with dedicated events. This event acts as a fallback for those it +## doesn't. ## ## See `Wikipedia ## `__ for more @@ -808,8 +828,8 @@ event icmp_sent%(c: connection, icmp: icmp_conn%); ## ## seq: The *echo request* sequence number. ## -## payload: The message-specific data of the packet payload, i.e., everything after -## the first 8 bytes of the ICMP header. +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. ## ## .. bro:see:: icmp_echo_reply event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); @@ -829,8 +849,8 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, ## ## seq: The *echo reply* sequence number. ## -## payload: The message-specific data of the packet payload, i.e., everything after -## the first 8 bytes of the ICMP header. +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. ## ## .. bro:see:: icmp_echo_request event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); @@ -851,8 +871,8 @@ event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, pa ## ## code: The ICMP code of the error message. ## -## context: A record with specifics of the original packet that the message refers -## to. +## context: A record with specifics of the original packet that the message +## refers to. ## ## .. bro:see:: icmp_unreachable icmp_packet_too_big ## icmp_time_exceeded icmp_parameter_problem @@ -871,10 +891,11 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: ## ## code: The ICMP code of the *unreachable* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Unreachable* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note -## that if the *unreachable* includes only a partial IP header for some reason, no +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *unreachable* +## includes only a partial IP header for some reason, no ## fields of *context* will be filled out. ## ## .. bro:see:: icmp_error_message icmp_packet_too_big @@ -894,11 +915,12 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic ## ## code: The ICMP code of the *too big* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Too big* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note -## that if the *too big* includes only a partial IP header for some reason, no -## fields of *context* will be filled out. +## context: A record with specifics of the original packet that the message +## refers to. *Too big* messages should include the original IP header +## from the packet that triggered them, and Bro parses that into +## the *context* structure. Note that if the *too big* includes only +## a partial IP header for some reason, no fields of *context* will +## be filled out. ## ## .. bro:see:: icmp_error_message icmp_unreachable ## icmp_time_exceeded icmp_parameter_problem @@ -917,11 +939,12 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: ## ## code: The ICMP code of the *exceeded* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Unreachable* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note that -## if the *exceeded* includes only a partial IP header for some reason, no fields -## of *context* will be filled out. +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *exceeded* includes +## only a partial IP header for some reason, no fields of *context* +## will be filled out. ## ## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big ## icmp_parameter_problem @@ -940,10 +963,11 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: ## ## code: The ICMP code of the *parameter problem* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Parameter problem* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note that -## if the *parameter problem* includes only a partial IP header for some reason, no fields +## context: A record with specifics of the original packet that the message +## refers to. *Parameter problem* messages should include the original +## IP header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *parameter problem* +## includes only a partial IP header for some reason, no fields ## of *context* will be filled out. ## ## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big @@ -1076,13 +1100,14 @@ event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr%); event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## Generated for unexpected activity related to a specific connection. When -## Bro's packet analysis encounters activity that does not conform to a protocol's -## specification, it raises one of the ``*_weird`` events to report that. This -## event is raised if the activity is tied directly to a specific connection. +## Bro's packet analysis encounters activity that does not conform to a +## protocol's specification, it raises one of the ``*_weird`` events to report +## that. This event is raised if the activity is tied directly to a specific +## connection. ## ## name: A unique name for the specific type of "weird" situation. Bro's default -## scripts use this name in filtering policies that specify which "weirds" are -## worth reporting. +## scripts use this name in filtering policies that specify which +## "weirds" are worth reporting. ## ## c: The corresponding connection. ## @@ -1091,20 +1116,21 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## .. bro:see:: flow_weird net_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic -## than one would intuitively expect. While in principle, any protocol violation -## could be an attack attempt, it's much more likely that an endpoint's -## implementation interprets an RFC quite liberally. +## than one would intuitively expect. While in principle, any protocol +## violation could be an attack attempt, it's much more likely that an +## endpoint's implementation interprets an RFC quite liberally. event conn_weird%(name: string, c: connection, addl: string%); ## Generated for unexpected activity related to a pair of hosts, but independent -## of a specific connection. When Bro's packet analysis encounters activity that -## does not conform to a protocol's specification, it raises one of the ``*_weird`` -## event to report that. This event is raised if the activity is related to a -## pair of hosts, yet not to a specific connection between them. +## of a specific connection. When Bro's packet analysis encounters activity +## that does not conform to a protocol's specification, it raises one of +## the ``*_weird`` events to report that. This event is raised if the activity +## is related to a pair of hosts, yet not to a specific connection between +## them. ## ## name: A unique name for the specific type of "weird" situation. Bro's default -## scripts use this name in filtering policies that specify which "weirds" are -## worth reporting. +## scripts use this name in filtering policies that specify which +## "weirds" are worth reporting. ## ## src: The source address corresponding to the activity. ## @@ -1113,47 +1139,47 @@ event conn_weird%(name: string, c: connection, addl: string%); ## .. bro:see:: conn_weird net_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic -## than one would intuitively expect. While in principle, any protocol violation -## could be an attack attempt, it's much more likely that an endpoint's -## implementation interprets an RFC quite liberally. +## than one would intuitively expect. While in principle, any protocol +## violation could be an attack attempt, it's much more likely that an +## endpoint's implementation interprets an RFC quite liberally. event flow_weird%(name: string, src: addr, dst: addr%); ## Generated for unexpected activity that is not tied to a specific connection ## or pair of hosts. When Bro's packet analysis encounters activity that ## does not conform to a protocol's specification, it raises one of the -## ``*_weird`` event to report that. This event is raised if the activity is +## ``*_weird`` events to report that. This event is raised if the activity is ## not tied directly to a specific connection or pair of hosts. ## ## name: A unique name for the specific type of "weird" situation. Bro's default -## scripts use this name in filtering policies that specify which "weirds" are -## worth reporting. +## scripts use this name in filtering policies that specify which +## "weirds" are worth reporting. ## ## .. bro:see:: flow_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic -## than one would intuitively expect. While in principle, any protocol violation -## could be an attack attempt, it's much more likely that an endpoint's -## implementation interprets an RFC quite liberally. +## than one would intuitively expect. While in principle, any protocol +## violation could be an attack attempt, it's much more likely that an +## endpoint's implementation interprets an RFC quite liberally. event net_weird%(name: string%); ## Generated regularly for the purpose of profiling Bro's processing. This event ## is raised for every :bro:id:`load_sample_freq` packet. For these packets, -## Bro records script-level functions executed during their processing as well as -## further internal locations. By sampling the processing in this form, one can -## understand where Bro spends its time. +## Bro records script-level functions executed during their processing as well +## as further internal locations. By sampling the processing in this form, one +## can understand where Bro spends its time. ## -## samples: A set with functions and locations seens during the processing of +## samples: A set with functions and locations seen during the processing of ## the sampled packet. ## -## CPU: The CPU time spent on processing the sampled. +## CPU: The CPU time spent on processing the sampled packet. ## ## dmem: The difference in memory usage caused by processing the sampled packet. event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%); ## Generated for ARP requests. ## -## See `Wikipedia `__ for -## more information about the ARP protocol. +## See `Wikipedia `__ +## for more information about the ARP protocol. ## ## mac_src: The request's source MAC address. ## @@ -1173,12 +1199,12 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, ## Generated for ARP replies. ## -## See `Wikipedia `__ for -## more information about the ARP protocol. +## See `Wikipedia `__ +## for more information about the ARP protocol. ## -## mac_src: The replies's source MAC address. +## mac_src: The reply's source MAC address. ## -## mac_dst: The replies's destination MAC address. +## mac_dst: The reply's destination MAC address. ## ## SPA: The sender protocol address. ## @@ -1192,9 +1218,9 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string%); -## Generated for ARP packets that Bro cannot interpret. Examples are packets with -## non-standard hardware address formats or hardware addresses that not match the -## originator of the packet. +## Generated for ARP packets that Bro cannot interpret. Examples are packets +## with non-standard hardware address formats or hardware addresses that do not +## match the originator of the packet. ## ## SPA: The sender protocol address. ## @@ -1216,8 +1242,8 @@ event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: stri ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive @@ -1229,8 +1255,8 @@ event bittorrent_peer_handshake%(c: connection, is_orig: bool, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1241,8 +1267,8 @@ event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1253,8 +1279,8 @@ event bittorrent_peer_choke%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1265,8 +1291,8 @@ event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive @@ -1277,8 +1303,8 @@ event bittorrent_peer_interested%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1289,8 +1315,8 @@ event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive @@ -1301,8 +1327,8 @@ event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive @@ -1313,8 +1339,8 @@ event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%) ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1326,8 +1352,8 @@ event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1339,8 +1365,8 @@ event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1352,8 +1378,8 @@ event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1364,8 +1390,8 @@ event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1377,8 +1403,8 @@ event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1389,8 +1415,8 @@ event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1402,8 +1428,8 @@ event bt_tracker_request%(c: connection, uri: string, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1417,8 +1443,8 @@ event bt_tracker_response%(c: connection, status: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1430,8 +1456,8 @@ event bt_tracker_response_not_ok%(c: connection, status: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1570,7 +1596,7 @@ event gnutella_http_notify%(c: connection%); ## Generated for Ident requests. ## -## See `Wikipedia `__ for more +## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. @@ -1589,7 +1615,7 @@ event ident_request%(c: connection, lport: port, rport: port%); ## Generated for Ident replies. ## -## See `Wikipedia `__ for more +## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. @@ -1612,7 +1638,7 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys ## Generated for Ident error replies. ## -## See `Wikipedia `__ for more +## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. @@ -1646,7 +1672,7 @@ event ident_error%(c: connection, lport: port, rport: port, line: string%); ## ## password: The password tried. ## -## line: line is the line of text that led the analyzer to conclude that the +## line: The line of text that led the analyzer to conclude that the ## authentication had failed. ## ## .. bro:see:: login_confused login_confused_text login_display login_input_line @@ -1655,14 +1681,9 @@ event ident_error%(c: connection, lport: port, rport: port, line: string%); ## login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that -## need to configured with patterns identifying login attempts. This configuration -## has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is -## therefore not directly usable at the moment. -## -## .. todo: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1685,7 +1706,7 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## ## password: The password used. ## -## line: line is the line of text that led the analyzer to conclude that the +## line: The line of text that led the analyzer to conclude that the ## authentication had succeeded. ## ## .. bro:see:: login_confused login_confused_text login_display login_failure @@ -1694,9 +1715,9 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## login_prompts login_success_msgs login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that -## need to configured with patterns identifying login attempts. This configuration -## has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is -## therefore not directly usable at the moment. +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1736,17 +1757,17 @@ event login_input_line%(c: connection, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_output_line%(c: connection, line: string%); -## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's *login* -## analyzer uses a number of heuristics to extract authentication information, it -## may become confused. If it can no longer correctly track the authentication -## dialog, it raised this event. +## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's +## *login* analyzer uses a number of heuristics to extract authentication +## information, it may become confused. If it can no longer correctly track +## the authentication dialog, it raises this event. ## ## c: The connection. ## ## msg: Gives the particular problem the heuristics detected (for example, -## ``multiple_login_prompts`` means that the engine saw several login prompts in -## a row, without the type-ahead from the client side presumed necessary to cause -## them) +## ``multiple_login_prompts`` means that the engine saw several login +## prompts in a row, without the type-ahead from the client side presumed +## necessary to cause them) ## ## line: The line of text that caused the heuristics to conclude they were ## confused. @@ -1762,9 +1783,10 @@ event login_output_line%(c: connection, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_confused%(c: connection, msg: string, line: string%); -## Generated after getting confused while tracking a Telnet/Rlogin authentication -## dialog. The *login* analyzer generates this even for every line of user input -## after it has reported :bro:id:`login_confused` for a connection. +## Generated after getting confused while tracking a Telnet/Rlogin +## authentication dialog. The *login* analyzer generates this even for every +## line of user input after it has reported :bro:id:`login_confused` for a +## connection. ## ## c: The connection. ## @@ -1781,7 +1803,7 @@ event login_confused%(c: connection, msg: string, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_confused_text%(c: connection, line: string%); -## Generated for clients transmitting a terminal type in an Telnet session. This +## Generated for clients transmitting a terminal type in a Telnet session. This ## information is extracted out of environment variables sent as Telnet options. ## ## c: The connection. @@ -1797,12 +1819,12 @@ event login_confused_text%(c: connection, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_terminal%(c: connection, terminal: string%); -## Generated for clients transmitting a X11 DISPLAY in a Telnet session. This +## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This ## information is extracted out of environment variables sent as Telnet options. ## ## c: The connection. ## -## terminal: The DISPLAY transmitted. +## display: The DISPLAY transmitted. ## ## .. bro:see:: login_confused login_confused_text login_failure login_input_line ## login_output_line login_prompt login_success login_terminal @@ -1813,10 +1835,10 @@ event login_terminal%(c: connection, terminal: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_display%(c: connection, display: string%); -## Generated when a Telnet authentication has been successful. The Telnet protocol -## includes options for negotiating authentication. When such an option is sent -## from client to server and the server replies that it accepts the authentication, -## then the event engine generates this event. +## Generated when a Telnet authentication has been successful. The Telnet +## protocol includes options for negotiating authentication. When such an +## option is sent from client to server and the server replies that it accepts +## the authentication, then the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1827,8 +1849,9 @@ event login_display%(c: connection, display: string%); ## ## .. bro:see:: authentication_rejected authentication_skipped login_success ## -## .. note:: This event inspects the corresponding Telnet option while :bro:id:`login_success` -## heuristically determines success by watching session data. +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines success by watching +## session data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1838,8 +1861,8 @@ event authentication_accepted%(name: string, c: connection%); ## Generated when a Telnet authentication has been unsuccessful. The Telnet ## protocol includes options for negotiating authentication. When such an option -## is sent from client to server and the server replies that it did not accept the -## authentication, then the event engine generates this event. +## is sent from client to server and the server replies that it did not accept +## the authentication, then the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1850,9 +1873,9 @@ event authentication_accepted%(name: string, c: connection%); ## ## .. bro:see:: authentication_accepted authentication_skipped login_failure ## -## .. note:: This event inspects the corresponding Telnet option while :bro:id:`login_success` -## heuristically determines failure by watching session -## data. +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines failure by watching +## session data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1860,7 +1883,7 @@ event authentication_accepted%(name: string, c: connection%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event authentication_rejected%(name: string, c: connection%); -## Generated when for Telnet/Rlogin sessions when a pattern match indicates +## Generated for Telnet/Rlogin sessions when a pattern match indicates ## that no authentication is performed. ## ## See `Wikipedia `__ for more information @@ -1873,9 +1896,9 @@ event authentication_rejected%(name: string, c: connection%); ## login_success_msgs login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying actvity. This configuration has -## not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore -## not directly usable at the moment. +## need to be configured with patterns identifying activity. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1883,15 +1906,16 @@ event authentication_rejected%(name: string, c: connection%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event authentication_skipped%(c: connection%); -## Generated for clients transmitting a terminal prompt in a Telnet session. This -## information is extracted out of environment variables sent as Telnet options. +## Generated for clients transmitting a terminal prompt in a Telnet session. +## This information is extracted out of environment variables sent as Telnet +## options. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## ## c: The connection. ## -## terminal: The TTYPROMPT transmitted. +## prompt: The TTYPROMPT transmitted. ## ## .. bro:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_success login_terminal @@ -1902,9 +1926,9 @@ event authentication_skipped%(c: connection%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_prompt%(c: connection, prompt: string%); -## Generated for Telnet sessions when encryption is activated. The Telnet protoco; -## includes options for negotiating encryption. When such a series of options is -## successfully negotiated, the event engine generates this event. +## Generated for Telnet sessions when encryption is activated. The Telnet +## protocol includes options for negotiating encryption. When such a series of +## options is successfully negotiated, the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1916,13 +1940,13 @@ event login_prompt%(c: connection, prompt: string%); ## login_output_line login_prompt login_success login_terminal event activating_encryption%(c: connection%); -## Generated for inconsistent Telnet options observed. Telnet options are specified -## by the client and server stating which options they are willing to support -## vs. which they are not, and then instructing one another which in fact they -## should or should not use for the current connection. If the event engine sees -## a peer violate either what the other peer has instructed it to do, or what it -## itself offered in terms of options in the past, then the engine generates an -## inconsistent_option event. +## Generated for an inconsistent Telnet option. Telnet options are specified +## by the client and server stating which options they are willing to +## support vs. which they are not, and then instructing one another which in +## fact they should or should not use for the current connection. If the event +## engine sees a peer violate either what the other peer has instructed it to +## do, or what it itself offered in terms of options in the past, then the +## engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1958,6 +1982,8 @@ event bad_option%(c: connection%); ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## +## c: The connection. +## ## .. bro:see:: inconsistent_option bad_option authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line @@ -1971,15 +1997,15 @@ event bad_option_termination%(c: connection%); ## Generated for client side commands on an RSH connection. ## -## See `RFC 1258 `__ for more information about -## the Rlogin/Rsh protocol. +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. ## ## c: The connection. ## ## client_user: The client-side user name as sent in the initial protocol ## handshake. ## -## client_user: The server-side user name as sent in the initial protocol +## server_user: The server-side user name as sent in the initial protocol ## handshake. ## ## line: The command line sent in the request. @@ -1990,8 +2016,8 @@ event bad_option_termination%(c: connection%); ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## -## .. note: For historical reasons, these events are separate from the ``login_`` -## events. Ideally, they would all be handled uniquely. +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -2001,27 +2027,25 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line ## Generated for client side commands on an RSH connection. ## -## See `RFC 1258 `__ for more information about -## the Rlogin/Rsh protocol. +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. ## ## c: The connection. ## ## client_user: The client-side user name as sent in the initial protocol ## handshake. ## -## client_user: The server-side user name as sent in the initial protocol +## server_user: The server-side user name as sent in the initial protocol ## handshake. ## ## line: The command line sent in the request. ## -## new_session: True if this is the first command of the Rsh session. -## ## .. bro:see:: rsh_request login_confused login_confused_text login_display ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## -## .. note: For historical reasons, these events are separate from the ``login_`` -## events. Ideally, they would all be handled uniquely. +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -2031,8 +2055,8 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line: ## Generated for client-side FTP commands. ## -## See `Wikipedia `__ for more -## information about the FTP protocol. +## See `Wikipedia `__ for +## more information about the FTP protocol. ## ## c: The connection. ## @@ -2046,8 +2070,8 @@ event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; ## Generated for server-side FTP replies. ## -## See `Wikipedia `__ for more -## information about the FTP protocol. +## See `Wikipedia `__ for +## more information about the FTP protocol. ## ## c: The connection. ## @@ -2055,9 +2079,10 @@ event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; ## ## msg: The textual message of the response. ## -## cont_resp: True if the reply line is tagged as being continued to the next line. -## If so, further events will be raised and a handler may want to reassemle the -## pieces before processing the response any further. +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want +## to reassemble the pieces before processing the response any +## further. ## ## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port @@ -2071,10 +2096,11 @@ event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &gro ## c: The connection. ## ## is_orig: True if the sender of the command is the originator of the TCP -## connection. Note that this is not redundant: the SMTP ``TURN`` command allows -## client and server to flip roles on established SMTP sessions, and hence a -## "request" might still come from the TCP-level responder. In practice, however, -## that will rarely happen as TURN is considered insecure and rarely used. +## connection. Note that this is not redundant: the SMTP ``TURN`` command +## allows client and server to flip roles on established SMTP sessions, +## and hence a "request" might still come from the TCP-level responder. +## In practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. ## ## command: The request's command, without any arguments. ## @@ -2098,16 +2124,18 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) ## connection. Note that this is not redundant: the SMTP ``TURN`` command ## allows client and server to flip roles on established SMTP sessions, ## and hence a "reply" might still come from the TCP-level originator. In -## practice, however, that will rarely happen as TURN is considered insecure -## and rarely used. +## practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. ## ## code: The reply's numerical code. ## +## cmd: TODO. +## ## msg: The reply's textual description. ## -## cont_resp: True if the reply line is tagged as being continued to the next line. -## If so, further events will be raised and a handler may want to reassemle the -## pieces before processing the response any further. +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want to +## reassemble the pieces before processing the response any further. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data @@ -2118,7 +2146,7 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s ## Generated for DATA transmitted on SMTP sessions. This event is raised for ## subsequent chunks of raw data following the ``DATA`` SMTP command until the -## corresponding end marker ``.`` is seen. A handler may want to reassembly +## corresponding end marker ``.`` is seen. A handler may want to reassemble ## the pieces as they come in if stream-analysis is required. ## ## See `Wikipedia `__ @@ -2136,23 +2164,23 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_reply smtp_request skip_smtp_data ## -## .. note:: This event received the unprocessed raw data. There is a separate -## set ``mime_*`` events that strip out the outer MIME-layer of emails and provide -## structured access to their content. +## .. note:: This event receives the unprocessed raw data. There is a separate +## set of ``mime_*`` events that strip out the outer MIME-layer of emails and +## provide structured access to their content. event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; -## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks the -## state of SMTP sessions and reports commands and other activity with this event -## that it sees even though it would not expect so at the current point of the -## communication. +## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks +## the state of SMTP sessions and reports commands and other activity with this +## event that it sees even though it would not expect so at the current point +## of the communication. ## ## See `Wikipedia `__ ## for more information about the SMTP protocol. ## ## c: The connection. ## -## is_orig: True if the sender of the unexpected activity is the originator of the -## TCP connection. +## is_orig: True if the sender of the unexpected activity is the originator of +## the TCP connection. ## ## msg: A descriptive message of what was unexpected. ## @@ -2161,14 +2189,14 @@ event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; ## .. bro:see:: smtp_data smtp_request smtp_reply event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp"; -## Generated when starting to parse a email MIME entity. MIME is a +## Generated when starting to parse an email MIME entity. MIME is a ## protocol-independent data format for encoding text and files, along with -## corresponding meta-data, for transmission. Bro raises this event when it begin -## parsing a MIME entity extracted from an email protocol. +## corresponding metadata, for transmission. Bro raises this event when it +## begins parsing a MIME entity extracted from an email protocol. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2176,18 +2204,18 @@ event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_begin_entity ## -## .. note:: Bro also extracts MIME entities from HTTP session. For those, however, -## it raises :bro:id:`http_begin_entity` instead. +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_begin_entity` instead. event mime_begin_entity%(c: connection%); -## Generated when finishing parsing an email MIME entity. MIME is a +## Generated when finishing parsing an email MIME entity. MIME is a ## protocol-independent data format for encoding text and files, along with -## corresponding meta-data, for transmission. Bro raises this event when it +## corresponding metadata, for transmission. Bro raises this event when it ## finished parsing a MIME entity extracted from an email protocol. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2195,17 +2223,17 @@ event mime_begin_entity%(c: connection%); ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_end_entity ## -## .. note:: Bro also extracts MIME entities from HTTP session. For those, however, -## it raises :bro:id:`http_end_entity` instead. +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_end_entity` instead. event mime_end_entity%(c: connection%); ## Generated for individual MIME headers extracted from email MIME ## entities. MIME is a protocol-independent data format for encoding text and -## files, along with corresponding meta-data, for transmission. +## files, along with corresponding metadata, for transmission. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2215,44 +2243,45 @@ event mime_end_entity%(c: connection%); ## mime_end_entity mime_entity_data mime_event mime_segment_data ## http_header http_all_headers ## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, -## it raises :bro:id:`http_header` instead. +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. event mime_one_header%(c: connection, h: mime_header_rec%); ## Generated for MIME headers extracted from email MIME entities, passing all -## headers at once. MIME is a protocol-independent data format for encoding text -## and files, along with corresponding meta-data, for transmission. +## headers at once. MIME is a protocol-independent data format for encoding +## text and files, along with corresponding metadata, for transmission. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## ## hlist: A *table* containing all headers extracted from the current entity. -## The table is indexed by the position of the header (1 for the first, 2 for the -## second, etc.). +## The table is indexed by the position of the header (1 for the first, +## 2 for the second, etc.). ## ## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## http_header http_all_headers ## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, -## it raises :bro:id:`http_header` instead. +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. event mime_all_headers%(c: connection, hlist: mime_header_list%); -## Generated for chunks of decoded MIME data from email MIME entities. MIME +## Generated for chunks of decoded MIME data from email MIME entities. MIME ## is a protocol-independent data format for encoding text and files, along with -## corresponding meta-data, for transmission. As Bro parses the data of an entity, -## it raises a sequence of these events, each coming as soon as a new chunk of -## data is available. In contrast, there is also :bro:id:`mime_entity_data`, which -## passes all of an entities data at once in a single block. While the latter is -## more convinient to handle, ``mime_segment_data`` is more efficient as Bro does -## not need to buffer the data. Thus, if possible, this event should be prefered. +## corresponding metadata, for transmission. As Bro parses the data of an +## entity, it raises a sequence of these events, each coming as soon as a new +## chunk of data is available. In contrast, there is also +## :bro:id:`mime_entity_data`, which passes all of an entities data at once +## in a single block. While the latter is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer +## the data. Thus, if possible, this event should be preferred. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2264,20 +2293,20 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%); ## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data ## mime_segment_length mime_segment_overlap_length ## -## .. note:: Bro also extracts MIME data from HTTP sessions. For those, however, it -## raises :bro:id:`http_entity_data` (sic!) instead. +## .. note:: Bro also extracts MIME data from HTTP sessions. For those, +## however, it raises :bro:id:`http_entity_data` (sic!) instead. event mime_segment_data%(c: connection, length: count, data: string%); ## Generated for data decoded from an email MIME entity. This event delivers ## the complete content of a single MIME entity. In contrast, there is also ## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as -## they. come in. While ``mime_entity_data`` is more convinient to handle, -## ``mime_segment_data`` is more efficient as Bro does not need to buffer the data. -## Thus, if possible, the latter should be prefered. +## they come in. While ``mime_entity_data`` is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer the +## data. Thus, if possible, the latter should be preferred. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2292,15 +2321,15 @@ event mime_segment_data%(c: connection, length: count, data: string%); ## sessions, there's no corresponding event for that currently. event mime_entity_data%(c: connection, length: count, data: string%); -## Generated for passing on all data decoded from an single email MIME +## Generated for passing on all data decoded from a single email MIME ## message. If an email message has more than one MIME entity, this event ## combines all their data into a single value for analysis. Note that because ## of the potentially significant buffering necessary, using this event can be ## expensive. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2315,35 +2344,37 @@ event mime_entity_data%(c: connection, length: count, data: string%); ## sessions, there's no corresponding event for that currently. event mime_all_data%(c: connection, length: count, data: string%); -## Generated for errors found when decoding email MIME entities. +## Generated for errors found when decoding email MIME entities. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## -## event_type: A string describing the general category of the problem found (e.g., -## ``illegal format``). +## c: The connection. +## +## event_type: A string describing the general category of the problem found +## (e.g., ``illegal format``). ## ## detail: Further more detailed description of the error. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event ## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, -## it raises :bro:id:`http_event` instead. +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_event` instead. event mime_event%(c: connection, event_type: string, detail: string%); -## Generated for decoded MIME entities extracted from email meessage, passing on +## Generated for decoded MIME entities extracted from email messages, passing on ## their MD5 checksums. Bro computes the MD5 over the complete decoded data of ## each MIME entity. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## -## content_len: The length of entity being hashed. +## content_len: The length of the entity being hashed. ## ## hash_value: The MD5 hash. ## @@ -2355,15 +2386,15 @@ event mime_event%(c: connection, event_type: string, detail: string%); event mime_content_hash%(c: connection, content_len: count, hash_value: string%); ## Generated for RPC request/reply *pairs*. The RPC analyzer associates request -## and reply by their transactions identifiers and raise this event once both -## have been seen. If there's not reply, the will still be generated eventually -## on timeout. In that case, *status* will be set to :bro:enum:`RPC_TIMEOUT`. +## and reply by their transaction identifiers and raises this event once both +## have been seen. If there's not a reply, this event will still be generated +## eventually on timeout. In that case, *status* will be set to +## :bro:enum:`RPC_TIMEOUT`. ## ## See `Wikipedia `__ for more information ## about the ONC RPC protocol. -## c: The connection. ## -## xid: The transaction identifier allowing to match requests with replies. +## c: The connection. ## ## prog: The remote program to call. ## @@ -2374,7 +2405,7 @@ event mime_content_hash%(c: connection, content_len: count, hash_value: string%) ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## -## start_time: Then time when the *call* was seen. +## start_time: The time when the *call* was seen. ## ## call_len: The size of the *call_body* PDU. ## @@ -2441,7 +2472,8 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count ## Generated for Portmapper requests of type *null*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## @@ -2459,14 +2491,16 @@ event pm_request_null%(r: connection%); ## Generated for Portmapper request/reply dialogues of type *set*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## ## m: The argument to the request. ## ## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request times out. +## reply. If no reply was seen, this will be false once the request +## times out. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit @@ -2482,14 +2516,16 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *unset*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## ## m: The argument to the request. ## ## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request times out. +## reply. If no reply was seen, this will be false once the request +## times out. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit @@ -2505,7 +2541,8 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *getport*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## @@ -2513,9 +2550,6 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## ## p: The port returned by the server. ## -## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request times out. -## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit ## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call @@ -2530,7 +2564,8 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## Generated for Portmapper request/reply dialogues of type *dump*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## @@ -2555,7 +2590,7 @@ event pm_request_dump%(r: connection, m: pm_mappings%); ## ## r: The RPC connection. ## -## m: The argument to the request. +## call: The argument to the request. ## ## p: The port value returned by the call. ## @@ -2711,9 +2746,9 @@ event pm_attempt_dump%(r: connection, status: rpc_status%); event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); ## Generated for Portmapper requests or replies that include an invalid port -## number. Since ports are represented by unsigned 4-byte integers, they can stray -## outside the allowed range of 0--65535 by being >= 65536. If so, this event is -## generated. +## number. Since ports are represented by unsigned 4-byte integers, they can +## stray outside the allowed range of 0--65535 by being >= 65536. If so, this +## event is generated. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the @@ -2735,8 +2770,8 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ event pm_bad_port%(r: connection, bad_p: count%); ## Generated for NFSv3 request/reply dialogues of type *null*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2758,8 +2793,8 @@ event pm_bad_port%(r: connection, bad_p: count%); event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2769,8 +2804,10 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## ## info: Reports the status of the dialogue, along with some meta information. ## -## attr: The attributes returned in the reply. The values may not be valid if the -## request was unsuccessful. +## fh: TODO. +## +## attrs: The attributes returned in the reply. The values may not be valid if +## the request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir @@ -2784,8 +2821,8 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%); event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); ## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2812,8 +2849,8 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *read*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2840,8 +2877,8 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2868,8 +2905,8 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *write*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2879,7 +2916,7 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2897,8 +2934,8 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *create*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2908,7 +2945,7 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2925,8 +2962,8 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2936,7 +2973,7 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2953,8 +2990,8 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *remove*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2964,7 +3001,7 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2981,8 +3018,8 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2992,7 +3029,7 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -3009,8 +3046,8 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -3020,7 +3057,7 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -3036,8 +3073,8 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); -## Generated for NFS3 request/reply dialogues of a type that Bro's NFS3 analyzer -## does not implement. +## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 +## analyzer does not implement. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -3059,9 +3096,11 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); -## Generated for each NFS3 reply message received, reporting just the +## Generated for each NFSv3 reply message received, reporting just the ## status included. ## +## n: The connection. +## ## info: Reports the status included in the reply. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir @@ -3075,11 +3114,11 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_reply_status%(n: connection, info: NFS3::info_t%); -## Generated for all NTP messages. Different from many other of Bro's events, this -## one is generated for both client-side and server-side messages. +## Generated for all NTP messages. Different from many other of Bro's events, +## this one is generated for both client-side and server-side messages. ## -## See `Wikipedia `__ for more -## information about the NTP protocol. +## See `Wikipedia `__ for +## more information about the NTP protocol. ## ## u: The connection record describing the corresponding UDP flow. ## @@ -3096,21 +3135,21 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event ntp_message%(u: connection, msg: ntp_msg, excess: string%); -## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer processes -## the NetBIOS session service running on TCP port 139, and (despite its name!) the -## NetBIOS datagram service on UDP port 138. +## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## is_orig: True if the message was sent by the originator of the connection. ## -## msg_type: The general type of message, as defined in Section 4.3.1 of `RFC 1002 -## `__. +## msg_type: The general type of message, as defined in Section 4.3.1 of +## `RFC 1002 `__. ## ## data_len: The length of the message's payload. ## @@ -3119,8 +3158,8 @@ event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3128,15 +3167,15 @@ event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); -## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite its -## name!) the NetBIOS datagram service on UDP port 138. +## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS +## analyzer processes the NetBIOS session service running on TCP port 139, and +## (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS @@ -3147,8 +3186,8 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3157,14 +3196,14 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da event netbios_session_request%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *positive session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, -## and (despite its name!) the NetBIOS datagram service on UDP port 138. +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS @@ -3175,8 +3214,8 @@ event netbios_session_request%(c: connection, msg: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3185,14 +3224,14 @@ event netbios_session_request%(c: connection, msg: string%); event netbios_session_accepted%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *negative session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, -## and (despite its name!) the NetBIOS datagram service on UDP port 138. +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS @@ -3203,8 +3242,8 @@ event netbios_session_accepted%(c: connection, msg: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3212,17 +3251,17 @@ event netbios_session_accepted%(c: connection, msg: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_rejected%(c: connection, msg: string%); -## Generated for NetBIOS message of type *session message* that are not carrying -## SMB payload. +## Generated for NetBIOS messages of type *session message* that are not +## carrying an SMB payload. ## -## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, -## and (despite its name!) the NetBIOS datagram service on UDP port 138. +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## is_orig: True if the message was sent by the originator of the connection. @@ -3235,11 +3274,11 @@ event netbios_session_rejected%(c: connection, msg: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## -## .. todo:: This is an oddly named event. In fact, it's probably an odd event to -## have to begin with. +## .. todo:: This is an oddly named event. In fact, it's probably an odd event +## to have to begin with. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3255,20 +3294,21 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## -## msg: The raw payload of the message sent, excluding the common NetBIOS header. +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. ## ## .. bro:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_rejected ## netbios_session_request decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## -## .. todo: This is an oddly named event. +## .. todo:: This is an oddly named event. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3277,25 +3317,26 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite its -## name!) the NetBIOS datagram service on UDP port 138. +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## -## msg: The raw payload of the message sent, excluding the common NetBIOS header. +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. ## ## .. bro:see:: netbios_session_accepted netbios_session_message ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3305,9 +3346,9 @@ event netbios_session_keepalive%(c: connection, msg: string%); ## Generated for all SMB/CIFS messages. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3316,7 +3357,7 @@ event netbios_session_keepalive%(c: connection, msg: string%); ## is_orig: True if the message was sent by the originator of the underlying ## transport-level connection. ## -## cmd: A string mmenonic of the SMB command code. +## cmd: A string mnemonic of the SMB command code. ## ## body_length: The length of the SMB message body, i.e. the data starting after ## the SMB header. @@ -3338,15 +3379,15 @@ event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body ## Generated for SMB/CIFS messages of type *tree connect andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## -## path: The ``path`` attribute specified in the message. +## path: The ``path`` attribute specified in the message. ## ## service: The ``service`` attribute specified in the message. ## @@ -3365,16 +3406,14 @@ event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, serv ## Generated for SMB/CIFS messages of type *tree disconnect*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## -## path: The ``path`` attribute specified in the message. -## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot @@ -3390,15 +3429,15 @@ event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *nt create andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## -## name: The ``name`` attribute specified in the message. +## name: The ``name`` attribute specified in the message. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_read_andx @@ -3415,9 +3454,9 @@ event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); ## Generated for SMB/CIFS messages of type *nt transaction*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3444,9 +3483,9 @@ event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## Generated for SMB/CIFS messages of type *nt transaction 2*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3473,9 +3512,9 @@ event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## Generated for SMB/CIFS messages of type *transaction mailslot*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3502,9 +3541,9 @@ event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, dat ## Generated for SMB/CIFS messages of type *transaction rap*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3531,9 +3570,9 @@ event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: sm ## Generated for SMB/CIFS messages of type *transaction pipe*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3560,9 +3599,9 @@ event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: s ## Generated for SMB/CIFS messages of type *read andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3570,8 +3609,6 @@ event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: s ## ## data: Always empty. ## -## is_orig: True if the message was sent by the originator of the connection. -## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap @@ -3587,9 +3624,9 @@ event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *read andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3597,8 +3634,6 @@ event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## ## data: Always empty. ## -## is_orig: True if the message was sent by the originator of the connection. -## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot @@ -3614,9 +3649,9 @@ event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *get dfs referral*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3642,9 +3677,9 @@ event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: cou ## Generated for SMB/CIFS messages of type *negotiate*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3664,9 +3699,9 @@ event smb_com_negotiate%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *negotiate response*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3688,9 +3723,9 @@ event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: co ## Generated for SMB/CIFS messages of type *setup andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3711,9 +3746,9 @@ event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *generic andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3734,9 +3769,9 @@ event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *close*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3757,9 +3792,9 @@ event smb_com_close%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *logoff andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3778,8 +3813,8 @@ event smb_com_close%(c: connection, hdr: smb_hdr%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); -## Generated for SMB/CIFS messages that indicate an error. This event is triggered -## by an SMB header including a status that signals an error. +## Generated for SMB/CIFS messages that indicate an error. This event is +## triggered by an SMB header including a status that signals an error. ## ## c: The connection. ## @@ -3787,9 +3822,9 @@ event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); ## ## cmd: The SMB command code. ## -## cmd_str: A string mmenonic of the SMB command code. +## cmd_str: A string mnemonic of the SMB command code. ## -## body: The raw SMB message body, i.e., the data starting after the SMB header. +## data: The raw SMB message body, i.e., the data starting after the SMB header. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx @@ -3807,7 +3842,8 @@ event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: ## Generated for all DNS messages. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3816,7 +3852,7 @@ event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: ## ## msg: The parsed DNS message header. ## -## len: The length of the message's raw representation (i.e, the DNS payload). +## len: The length of the message's raw representation (i.e., the DNS payload). ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -3831,7 +3867,8 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &gro ## is raised once for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3855,11 +3892,12 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl ## Generated for DNS replies that reject a query. This event is raised if a DNS ## reply either indicates failure via its status code or does not pass on any -## answers to a query. Note that all of the event's paramaters are parsed out of +## answers to a query. Note that all of the event's parameters are parsed out of ## the reply; there's no stateful correlation with the query. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3884,7 +3922,8 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc ## Generated for DNS replies with an *ok* status code but no question section. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3907,7 +3946,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc event dns_query_reply%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; -## Generated when the DNS analyzer processes what seems to be a non-DNS packets. +## Generated when the DNS analyzer processes what seems to be a non-DNS packet. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3922,7 +3961,8 @@ event non_dns_request%(c: connection, msg: string%) &group="dns"; ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3942,11 +3982,12 @@ event non_dns_request%(c: connection, msg: string%) &group="dns"; ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns"; -## Generated for DNS replies of type *AAAA*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *AAAA*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3970,7 +4011,8 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &g ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3994,7 +4036,8 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &gro ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4018,7 +4061,8 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4042,7 +4086,8 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4066,7 +4111,8 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4075,7 +4121,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## ## ans: The type-independent part of the parsed answer record. ## -## soa: The parsed SOA value +## soa: The parsed SOA value. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply @@ -4086,11 +4132,12 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns"; -## Generated for DNS replies of type *WKS*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *WKS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4108,11 +4155,12 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa% ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; -## Generated for DNS replies of type *HINFO*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *HINFO*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4121,8 +4169,6 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns" ## ## ans: The type-independent part of the parsed answer record. ## -## name: The name returned by the reply. -## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered @@ -4136,7 +4182,8 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4147,7 +4194,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn ## ## name: The name returned by the reply. ## -## preference: The preference for *name* specificed by the reply. +## preference: The preference for *name* specified by the reply. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply @@ -4158,11 +4205,12 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns"; -## Generated for DNS replies of type *TXT*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *TXT*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4182,11 +4230,12 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns"; -## Generated for DNS replies of type *SRV*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *SRV*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4204,11 +4253,12 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; -## Generated for DNS replies of type *EDNS*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *EDNS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4226,11 +4276,12 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns" ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns"; -## Generated for DNS replies of type *TSIG*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *TSIG*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4253,7 +4304,8 @@ event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &gr ## all resource records have been passed on. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4272,12 +4324,12 @@ event dns_end%(c: connection, msg: dns_msg%) &group="dns"; ## Generated for DHCP messages of type *discover*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## req_addr: The specific address requested by the client. ## @@ -4289,9 +4341,9 @@ event dns_end%(c: connection, msg: dns_msg%) &group="dns"; ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4302,16 +4354,18 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## Generated for DHCP messages of type *offer*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## mask: The subnet mask specified by the mesage. +## msg: TODO. +## +## mask: The subnet mask specified by the message. ## ## router: The list of routers specified by the message. ## -## lease: The least interval specificed by the message. +## lease: The least interval specified by the message. ## ## serv_addr: The server address specified by the message. ## @@ -4322,9 +4376,9 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4335,12 +4389,12 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_ ## Generated for DHCP messages of type *request*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## req_addr: The client address specified by the message. ## @@ -4353,9 +4407,9 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_ ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4366,12 +4420,12 @@ event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: add ## Generated for DHCP messages of type *decline*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4380,9 +4434,9 @@ event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: add ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4393,18 +4447,18 @@ event dhcp_decline%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *acknowledgment*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## -## mask: The subnet mask specified by the mesage. +## mask: The subnet mask specified by the message. ## ## router: The list of routers specified by the message. ## -## lease: The least interval specificed by the message. +## lease: The least interval specified by the message. ## ## serv_addr: The server address specified by the message. ## @@ -4415,9 +4469,9 @@ event dhcp_decline%(c: connection, msg: dhcp_msg%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4428,12 +4482,12 @@ event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_li ## Generated for DHCP messages of type *negative acknowledgment*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4442,9 +4496,9 @@ event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_li ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4455,12 +4509,12 @@ event dhcp_nak%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *release*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4469,9 +4523,9 @@ event dhcp_nak%(c: connection, msg: dhcp_msg%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4482,12 +4536,12 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *inform*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4496,9 +4550,9 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4506,13 +4560,13 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dhcp_inform%(c: connection, msg: dhcp_msg%); -## Generated for HTTP requests. Bro supports persistent and pipelined HTTP sessions -## and raises corresponding events as it parses client/server dialogues. This event -## is generated as soon as a request's initial line has been parsed, and before any -## :bro:id:`http_header` events are raised. +## Generated for HTTP requests. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. This event is generated as soon as a request's initial line has +## been parsed, and before any :bro:id:`http_header` events are raised. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## @@ -4529,13 +4583,13 @@ event dhcp_inform%(c: connection, msg: dhcp_msg%); ## truncate_http_URI event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request"; -## Generated for HTTP replies. Bro supports persistent and pipelined HTTP sessions -## and raises corresponding events as it parses client/server dialogues. This event -## is generated as soon as a reply's initial line has been parsed, and before any -## :bro:id:`http_header` events are raised. +## Generated for HTTP replies. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. This event is generated as soon as a reply's initial line has +## been parsed, and before any :bro:id:`http_header` events are raised. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## @@ -4550,11 +4604,12 @@ event http_request%(c: connection, method: string, original_URI: string, unescap ## http_stats event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply"; -## Generated for HTTP headers. Bro supports persistent and pipelined HTTP sessions -## and raises corresponding events as it parses client/server dialogues. +## Generated for HTTP headers. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## @@ -4568,41 +4623,44 @@ event http_reply%(c: connection, version: string, code: count, reason: string%) ## http_entity_data http_event http_message_done http_reply http_request ## http_stats ## -## .. note:: This event is also raised for headers found in nested body entities. +## .. note:: This event is also raised for headers found in nested body +## entities. event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header"; -## Generated for HTTP headers, passing on all headers of an HTTP message at once. -## Bro supports persistent and pipelined HTTP sessions and raises corresponding -## events as it parses client/server dialogues. +## Generated for HTTP headers, passing on all headers of an HTTP message at +## once. Bro supports persistent and pipelined HTTP sessions and raises +## corresponding events as it parses client/server dialogues. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## ## is_orig: True if the header was sent by the originator of the TCP connection. ## ## hlist: A *table* containing all headers extracted from the current entity. -## The table is indexed by the position of the header (1 for the first, 2 for the -## second, etc.). +## The table is indexed by the position of the header (1 for the first, +## 2 for the second, etc.). ## ## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## -## .. note:: This event is also raised for headers found in nested body entities. +## .. note:: This event is also raised for headers found in nested body +## entities. event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header"; -## Generated when starting to parse an HTTP body entity. This event is generated -## at least once for each non-empty (client or server) HTTP body; and potentially -## more than once if the body contains further nested MIME entities. Bro raises -## this event just before it starts parsing each entity's content. +## Generated when starting to parse an HTTP body entity. This event is generated +## at least once for each non-empty (client or server) HTTP body; and +## potentially more than once if the body contains further nested MIME +## entities. Bro raises this event just before it starts parsing each entity's +## content. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data @@ -4610,17 +4668,18 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) ## mime_begin_entity event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; -## Generated when finishing parsing an HTTP body entity. This event is generated -## at least once for each non-empty (client or server) HTTP body; and potentially -## more than once if the body contains further nested MIME entities. Bro raises -## this event at the point when it has finished parsing an entity's content. +## Generated when finishing parsing an HTTP body entity. This event is generated +## at least once for each non-empty (client or server) HTTP body; and +## potentially more than once if the body contains further nested MIME +## entities. Bro raises this event at the point when it has finished parsing an +## entity's content. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data @@ -4633,18 +4692,18 @@ event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; ## chunk of the data of not further defined size. ## ## A common idiom for using this event is to first *reassemble* the data -## at the scripting layer by concatening it to a successvily growing +## at the scripting layer by concatenating it to a successively growing ## string; and only perform further content analysis once the corresponding -## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so +## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so ## can be quite expensive for HTTP tranders. At the very least, one should ## impose an upper size limit on how much data is being buffered. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## length: The length of *data*. @@ -4656,17 +4715,17 @@ event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; ## mime_entity_data http_entity_data_delivery_size skip_http_data event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body"; -## Generated for reporting an HTTP bodie's content type. This event is +## Generated for reporting an HTTP body's content type. This event is ## generated at the end of parsing an HTTP header, passing on the MIME ## type as specified by the ``Content-Type`` header. If that header is ## missing, this event is still raised with a default value of ``text/plain``. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## ty: The main type. @@ -4688,12 +4747,12 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string ## message have been processed (and their corresponding ``http_entity_*`` events ## generated). ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## stat: Further meta information about the message. @@ -4704,13 +4763,13 @@ event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) ## Generated for errors found when decoding HTTP requests or replies. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## event_type: A string describing the general category of the problem found (e.g., -## ``illegal format``). +## event_type: A string describing the general category of the problem found +## (e.g., ``illegal format``). ## ## detail: Further more detailed description of the error. ## @@ -4725,17 +4784,18 @@ event http_event%(c: connection, event_type: string, detail: string%); ## ## c: The connection. ## -## stats: Statistics summarizing HTTP-level properties of the finished connection. +## stats: Statistics summarizing HTTP-level properties of the finished +## connection. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_reply ## http_request event http_stats%(c: connection, stats: http_stats_rec%); -## Generated when seeing an SSH client's version identification. The SSH protocol -## starts with a clear-test handshake message that reports client and server -## protocol/software versions. This event provides access to what the client -## sent. +## Generated when seeing an SSH client's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## client sent. ## ## ## See `Wikipedia `__ for more @@ -4747,14 +4807,14 @@ event http_stats%(c: connection, stats: http_stats_rec%); ## ## .. bro:see:: ssh_server_version ## -## .. note:: As everything after the initial version handshake proceeds encrypted, -## Bro cannot further analyze SSH sessions. +## .. note:: As everything after the initial version handshake proceeds +## encrypted, Bro cannot further analyze SSH sessions. event ssh_client_version%(c: connection, version: string%); -## Generated when seeing an SSH server's version identification. The SSH protocol -## starts with a clear-test handshake message that reports client and server -## protocol/software versions. This event provides access to what the server -## sent. +## Generated when seeing an SSH server's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## server sent. ## ## See `Wikipedia `__ for more ## information about the SSH protocol. @@ -4772,53 +4832,53 @@ event ssh_server_version%(c: connection, version: string%); ## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions ## start with an unencrypted handshake, and Bro extracts as much information out -## that it as it can. This event provides access to the initial information sent by -## the client. +## of that as it can. This event provides access to the initial information +## sent by the client. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. ## ## c: The connection. ## -## version: The protocol version as extracted from the client's -## message. The values are standardized as part of the SSL/TLS protocol. The +## version: The protocol version as extracted from the client's message. The +## values are standardized as part of the SSL/TLS protocol. The ## :bro:id:`SSL::version_strings` table maps them to descriptive names. ## -## possible_ts: The current time as sent by the client. Note that SSL/TLS does not -## require clocks to be set correctly, so treat with care. +## possible_ts: The current time as sent by the client. Note that SSL/TLS does +## not require clocks to be set correctly, so treat with care. ## ## session_id: The session ID sent by the client (if any). ## ## ciphers: The list of ciphers the client offered to use. The values are -## standardized as part of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table -## maps them to descriptive names. +## standardized as part of the SSL/TLS protocol. The +## :bro:id:`SSL::cipher_desc` table maps them to descriptive names. ## ## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%); -## Generated for an SSL/TLS servers's initial *hello* message. SSL/TLS sessions +## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions ## start with an unencrypted handshake, and Bro extracts as much information out -## of that as it can. This event provides access to the initial information sent by -## the client. +## of that as it can. This event provides access to the initial information +## sent by the client. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. ## ## c: The connection. ## -## version: The protocol version as extracted from the servers's message. +## version: The protocol version as extracted from the server's message. ## The values are standardized as part of the SSL/TLS protocol. The ## :bro:id:`SSL::version_strings` table maps them to descriptive names. ## -## possible_ts: The current time as sent by the server. Note that SSL/TLS does not -## require clocks to be set correctly, so treat with care. +## possible_ts: The current time as sent by the server. Note that SSL/TLS does +## not require clocks to be set correctly, so treat with care. ## ## session_id: The session ID as sent back by the server (if any). ## ## cipher: The cipher chosen by the server. The values are standardized as part -## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps them to -## descriptive names. +## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps +## them to descriptive names. ## ## comp_method: The compression method chosen by the client. The values are ## standardized as part of the SSL/TLS protocol. @@ -4827,18 +4887,18 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%); -## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS sessions -## start with an unencrypted handshake, and Bro extracts as much information out of -## that as it can. This event provides access to any extensions either side sents -## as part of extended *hello* message. +## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS +## sessions start with an unencrypted handshake, and Bro extracts as much +## information out of that as it can. This event provides access to any +## extensions either side sends as part of an extended *hello* message. ## ## c: The connection. ## ## is_orig: True if event is raised for originator side of the connection. ## ## code: The numerical code of the extension. The values are standardized as -## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps them to -## descriptive names. +## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps +## them to descriptive names. ## ## val: The raw extension value that was sent in the message. ## @@ -4847,10 +4907,10 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, sessio event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with -## an unencrypted handshake, and Bro extracts as much information out of that as -## it can. This event signals the time when an SSL/TLS has finished the handshake -## and its endpoints consider it as fully established. Typically, everything from -## now on will be encrypted. +## an unencrypted handshake, and Bro extracts as much information out of that +## as it can. This event signals the time when an SSL/TLS has finished the +## handshake and its endpoints consider it as fully established. Typically, +## everything from now on will be encrypted. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. @@ -4861,11 +4921,11 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_established%(c: connection%); -## Generated for SSL/TLS alert records. SSL/TLS sessions start with an unencrypted -## handshake, and Bro extracts as much information out of that as it can. If during -## that handshake, an endpoint encounteres a fatal error, it sends an *alert* -## record, that it turns triggers this event. After an *alert*, any endpoint -## may close the connection immediately. +## Generated for SSL/TLS alert records. SSL/TLS sessions start with an +## unencrypted handshake, and Bro extracts as much information out of that as +## it can. If during that handshake, an endpoint encounters a fatal error, it +## sends an *alert* record, that in turn triggers this event. After an *alert*, +## any endpoint may close the connection immediately. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. @@ -4884,12 +4944,12 @@ event ssl_established%(c: connection%); ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); -## Generated for SSL/TLS handshake messages that are a part of the stateless-server -## session resumption mechanism. SSL/TLS sessions start with an unencrypted -## handshake, and Bro extracts as much information out of that as it can. This -## event is raised when an SSL/TLS server passes session ticket to the client that -## can later be used for resuming the session. The mechanism is described in -## :rfc:`4507` +## Generated for SSL/TLS handshake messages that are a part of the +## stateless-server session resumption mechanism. SSL/TLS sessions start with +## an unencrypted handshake, and Bro extracts as much information out of that +## as it can. This event is raised when an SSL/TLS server passes a session +## ticket to the client that can later be used for resuming the session. The +## mechanism is described in :rfc:`4507` ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. @@ -4905,13 +4965,13 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); ## x509_certificate x509_error x509_extension ssl_alert event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%); -## Generated for x509 certificates seen in SSL/TLS connections. During the initial -## SSL/TLS handshake, certificates are exchanged in the clear. Bro raises this -## event for each certificate seen (including both a site's primary cert, and -## further certs sent as part of the validation chain). +## Generated for X509 certificates seen in SSL/TLS connections. During the +## initial SSL/TLS handshake, certificates are exchanged in the clear. Bro +## raises this event for each certificate seen (including both a site's primary +## cert, and further certs sent as part of the validation chain). ## -## See `Wikipedia `__ for more information about -## the X.509 format. +## See `Wikipedia `__ for more information +## about the X.509 format. ## ## c: The connection. ## @@ -4920,7 +4980,7 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ## cert: The parsed certificate. ## ## chain_idx: The index in the validation chain that this cert has. Index zero -## indicates an endpoints primary cert, while higher indices +## indicates an endpoint's primary cert, while higher indices ## indicate the place in the validation chain (which has length ## *chain_len*). ## @@ -4928,16 +4988,17 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ## of. ## ## der_cert: The complete cert encoded in `DER -## `__ format. +## `__ +## format. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_server_hello x509_error x509_extension x509_verify event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%); -## Generated for X.509 extensions seen in a certificate. +## Generated for X509 extensions seen in a certificate. ## -## See `Wikipedia `__ for more information about -## the X.509 format. +## See `Wikipedia `__ for more information +## about the X.509 format. ## ## c: The connection. ## @@ -4949,17 +5010,17 @@ event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: cou ## ssl_server_hello x509_certificate x509_error x509_verify event x509_extension%(c: connection, is_orig: bool, data: string%); -## Generated when errors occur during parsing an X.509 certificate. +## Generated when errors occur during parsing an X509 certificate. ## -## See `Wikipedia `__ for more information about -## the X.509 format. +## See `Wikipedia `__ for more information +## about the X.509 format. ## ## c: The connection. ## ## is_orig: True if event is raised for originator side of the connection. ## -## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` maps -## error codes to a textual description. +## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` +## maps error codes to a textual description. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_server_hello x509_certificate x509_extension x509_err2str x509_verify @@ -5022,16 +5083,16 @@ event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); ## Generated for NCP requests (Netware Core Protocol). ## -## See `Wikipedia `__ for more -## information about the NCP protocol. +## See `Wikipedia `__ for +## more information about the NCP protocol. ## ## c: The connection. ## ## frame_type: The frame type, as specified by the protocol. ## -## length: The length of the request body, excluding the frame header, +## length: The length of the request body, excluding the frame header. ## -## func: The requested function, as specified by the protocol. +## func: The requested function, as specified by the protocol. ## ## .. bro:see:: ncp_reply ## @@ -5043,20 +5104,20 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count% ## Generated for NCP replies (Netware Core Protocol). ## -## See `Wikipedia `__ for more -## information about the NCP protocol. +## See `Wikipedia `__ for +## more information about the NCP protocol. ## ## c: The connection. ## ## frame_type: The frame type, as specified by the protocol. ## -## length: The length of the request body, excluding the frame header, +## length: The length of the request body, excluding the frame header. ## ## req_frame: The frame type from the corresponding request. ## -## req_frame: The function code from the corresponding request. +## req_func: The function code from the corresponding request. ## -## completion_code: The replie's completion code, as specified by the protocol. +## completion_code: The reply's completion code, as specified by the protocol. ## ## .. bro:see:: ncp_request ## @@ -5068,12 +5129,13 @@ event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: cou ## Generated for client-side commands on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## -## is_orig: True if the command was sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## command: The command sent. ## @@ -5091,24 +5153,23 @@ event pop3_request%(c: connection, is_orig: bool, ## Generated for server-side replies to commands on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## -## is_orig: True if the command was sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## cmd: The success indicator sent by the server. This corresponds to the ## first token on the line sent, and should be either ``OK`` or ``ERR``. ## ## msg: The textual description the server sent along with *cmd*. ## -## arg: The argument to the command. -## ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request ## pop3_terminate pop3_unexpected ## -## .. todo: This event is receiving odd parameters, should unify. +## .. todo:: This event is receiving odd parameters, should unify. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -5116,13 +5177,13 @@ event pop3_request%(c: connection, is_orig: bool, ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); -## Generated for server-side multi-lines responses on POP3 connections. POP3 -## connection use multi-line responses to send buld data, such as the actual +## Generated for server-side multi-line responses on POP3 connections. POP3 +## connections use multi-line responses to send bulk data, such as the actual ## mails. This event is generated once for each line that's part of such a ## response. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5139,12 +5200,12 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_data%(c: connection, is_orig: bool, data: string%); -## Generated for errors encountered on POP3 sessions. If the POP3 analyzers finds -## state transition that do not confirm to the protocol specification, or other -## situations it can't handle, it raises this event. +## Generated for errors encountered on POP3 sessions. If the POP3 analyzer +## finds state transitions that do not conform to the protocol specification, +## or other situations it can't handle, it raises this event. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5164,13 +5225,13 @@ event pop3_data%(c: connection, is_orig: bool, data: string%); event pop3_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); -## Generated when POP3 connection go encrypted. While POP3 is by default a +## Generated when a POP3 connection goes encrypted. While POP3 is by default a ## clear-text protocol, extensions exist to switch to encryption. This event is -## generated if that happens and the analyzers then stops processing the +## generated if that happens and the analyzer then stops processing the ## connection. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5192,8 +5253,8 @@ event pop3_terminate%(c: connection, is_orig: bool, msg: string%); ## Generated for successful authentications on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5216,15 +5277,15 @@ event pop3_login_success%(c: connection, is_orig: bool, ## Generated for unsuccessful authentications on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## ## is_orig: Always false. ## -## user: The user name attempted for authentication. The event is only generated if -## a non-empty user name was used. +## user: The user name attempted for authentication. The event is only +## generated if a non-empty user name was used. ## ## password: The password attempted for authentication. ## @@ -5261,9 +5322,9 @@ event pop3_login_failure%(c: connection, is_orig: bool, ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message ## -## .. note:: This event is generated only for message that originate at the -## clients-side. Commands coming in from remote trigger the ge:bro:id:`irc_message` -## event instead. +## .. note:: This event is generated only for messages that originate +## at the client-side. Commands coming in from remote trigger +## the :bro:id:`irc_message` event instead. event irc_request%(c: connection, is_orig: bool, prefix: string, command: string, arguments: string%); @@ -5275,9 +5336,10 @@ event irc_request%(c: connection, is_orig: bool, prefix: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## prefix: The optional prefix comming with the reply. IRC uses the prefix to +## prefix: The optional prefix coming with the reply. IRC uses the prefix to ## indicate the true origin of a message. ## ## code: The reply code, as specified by the protocol. @@ -5306,7 +5368,7 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string, ## ## command: The command. ## -## arguments: The arguments for the command. +## message: TODO. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5317,22 +5379,23 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string, ## .. note:: ## ## This event is generated only for messages that are forwarded by the server -## to the client. Commands coming from client trigger the :bro:id:`irc_request` -## event instead. +## to the client. Commands coming from client trigger the +## :bro:id:`irc_request` event instead. event irc_message%(c: connection, is_orig: bool, prefix: string, command: string, message: string%); -## Generated for IRC messages of type *quit*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *quit*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name coming with the message. +## nick: The nickname coming with the message. ## ## message: The text included with the message. ## @@ -5343,15 +5406,16 @@ event irc_message%(c: connection, is_orig: bool, prefix: string, ## irc_part_message irc_password_message event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%); -## Generated for IRC messages of type *privmsg*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *privmsg*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## source: The source of the private communication. ## @@ -5375,7 +5439,8 @@ event irc_privmsg_message%(c: connection, is_orig: bool, source: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## source: The source of the private communication. ## @@ -5399,7 +5464,8 @@ event irc_notice_message%(c: connection, is_orig: bool, source: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## source: The source of the private communication. ## @@ -5423,12 +5489,11 @@ event irc_squery_message%(c: connection, is_orig: bool, source: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## info_list: The user information coming with the command. ## -## message: The text of communication. -## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message @@ -5436,15 +5501,16 @@ event irc_squery_message%(c: connection, is_orig: bool, source: string, ## irc_password_message event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%); -## Generated for IRC messages of type *part*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *part*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## nick: The nickname coming with the message. ## @@ -5460,15 +5526,16 @@ event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%) event irc_part_message%(c: connection, is_orig: bool, nick: string, chans: string_set, message: string%); -## Generated for IRC messages of type *nick*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *nick*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## who: The user changing its nickname. ## @@ -5488,7 +5555,8 @@ event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: stri ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invite_message irc_join_message irc_kick_message @@ -5504,7 +5572,8 @@ event irc_invalid_nick%(c: connection, is_orig: bool%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## users: The number of users as returned in the reply. ## @@ -5527,7 +5596,8 @@ event irc_network_info%(c: connection, is_orig: bool, users: count, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## users: The number of users as returned in the reply. ## @@ -5550,7 +5620,8 @@ event irc_server_info%(c: connection, is_orig: bool, users: count, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## chans: The number of channels as returned in the reply. ## @@ -5568,9 +5639,10 @@ event irc_channel_info%(c: connection, is_orig: bool, chans: count%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## target_nick: The target nick name. +## target_nick: The target nickname. ## ## channel: The channel. ## @@ -5580,7 +5652,7 @@ event irc_channel_info%(c: connection, is_orig: bool, chans: count%); ## ## server: The server. ## -## nick: The nick name. +## nick: The nickname. ## ## params: The parameters. ## @@ -5606,7 +5678,8 @@ event irc_who_line%(c: connection, is_orig: bool, target_nick: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## c_type: The channel type. ## @@ -5629,9 +5702,10 @@ event irc_names_info%(c: connection, is_orig: bool, c_type: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name specified in the reply. +## nick: The nickname specified in the reply. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5647,9 +5721,10 @@ event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name specified in the reply. +## nick: The nickname specified in the reply. ## ## chans: The set of channels returned. ## @@ -5668,16 +5743,15 @@ event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name specified in the reply. +## nick: The nickname specified in the reply. ## ## user: The user name specified in the reply. ## ## host: The host name specified in the reply. ## -## user: The user name specified in the reply. -## ## real_name: The real name specified in the reply. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message @@ -5695,7 +5769,8 @@ event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## got_oper: True if the *oper* command was executed successfully ## (*youreport*) and false otherwise (*nooperhost*). @@ -5714,7 +5789,8 @@ event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. @@ -5735,6 +5811,9 @@ event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: strin ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## channel: The channel name specified in the reply. ## ## topic: The topic specified in the reply. @@ -5746,15 +5825,16 @@ event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: strin ## irc_password_message event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%); -## Generated for IRC messages of type *who*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *who*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## mask: The mask specified in the message. ## @@ -5767,15 +5847,20 @@ event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: s ## irc_part_message irc_password_message event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); -## Generated for IRC messages of type *whois*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *whois*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## +## server: TODO. +## +## users: TODO. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5784,14 +5869,17 @@ event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); ## irc_part_message irc_password_message event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%); -## Generated for IRC messages of type *oper*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *oper*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## user: The user specified in the message. ## ## password: The password specified in the message. @@ -5803,14 +5891,17 @@ event irc_whois_message%(c: connection, is_orig: bool, server: string, users: st ## irc_password_message event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%); -## Generated for IRC messages of type *kick*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *kick*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5828,14 +5919,17 @@ event irc_oper_message%(c: connection, is_orig: bool, user: string, password: st event irc_kick_message%(c: connection, is_orig: bool, prefix: string, chans: string, users: string, comment: string%); -## Generated for IRC messages of type *error*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *error*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5856,10 +5950,13 @@ event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## -## nickname: The nick name specified in the message. +## nickname: The nickname specified in the message. ## ## channel: The channel specified in the message. ## @@ -5871,14 +5968,17 @@ event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: event irc_invite_message%(c: connection, is_orig: bool, prefix: string, nickname: string, channel: string%); -## Generated for IRC messages of type *mode*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *mode*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5891,20 +5991,23 @@ event irc_invite_message%(c: connection, is_orig: bool, prefix: string, ## irc_password_message event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%); -## Generated for IRC messages of type *squit*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *squit*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## server: The server specified in the message. ## -## messate: The textual description specified in the message. +## message: The textual description specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5914,14 +6017,17 @@ event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: st event irc_squit_message%(c: connection, is_orig: bool, prefix: string, server: string, message: string%); -## Generated for IRC messages of type *dcc*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *dcc*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5947,14 +6053,17 @@ event irc_dcc_message%(c: connection, is_orig: bool, dcc_type: string, argument: string, address: addr, dest_port: count, size: count%); -## Generated for IRC messages of type *user*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *user*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## user: The user specified in the message. ## ## host: The host name specified in the message. @@ -5978,6 +6087,9 @@ event irc_user_message%(c: connection, is_orig: bool, user: string, host: string ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## password: The password specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message @@ -5989,7 +6101,6 @@ event irc_password_message%(c: connection, is_orig: bool, password: string%); ## TODO. ## -## .. bro:see:: event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); ## Generated for monitored Syslog messages. @@ -6005,13 +6116,14 @@ event file_transferred%(c: connection, prefix: string, descr: string, mime_type: ## ## msg: The message logged. ## -## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP syslog -## will be added soon. +## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP +## syslog will be added soon. event syslog_message%(c: connection, facility: count, severity: count, msg: string%); -## Generated when a signature matches. Bro's signature engine provide -## high-performance pattern matching separately from the normal script processing. -## If a signature with an ``event`` action matches, this event is raised. +## Generated when a signature matches. Bro's signature engine provides +## high-performance pattern matching separately from the normal script +## processing. If a signature with an ``event`` action matches, this event is +## raised. ## ## See the :doc:`user manual ` for more information about Bro's ## signature engine. @@ -6021,10 +6133,10 @@ event syslog_message%(c: connection, facility: count, severity: count, msg: stri ## ## msg: The message passed to the ``event`` signature action. ## -## data; The last chunk of input that triggered the match. Note that the specifics -## here are no well-defined as Bro does not buffer any input. If a match is split -## across packet boundaries, only the last chunk triggering the will be passed on -## to the event. +## data: The last chunk of input that triggered the match. Note that the +## specifics here are not well-defined as Bro does not buffer any input. +## If a match is split across packet boundaries, only the last chunk +## triggering the match will be passed on to the event. event signature_match%(state: signature_state, msg: string, data: string%); ## Generated when a protocol analyzer finds an identification of a software @@ -6039,25 +6151,26 @@ event signature_match%(state: signature_state, msg: string, data: string%); ## ## s: A description of the software found. ## -## descr: The raw (unparsed) software identification string as extracted from the -## protocol. +## descr: The raw (unparsed) software identification string as extracted from +## the protocol. ## ## .. bro:see:: software_parse_error software_unparsed_version_found OS_version_found event software_version_found%(c: connection, host: addr, s: software, descr: string%); -## Generated when a protocol analyzer finds an identification of a software used on -## a system but cannot parse it. This is a protocol-independent event that is fed -## by different analyzers. For example, the HTTP analyzer reports user-agent and -## server software by raising this event if it cannot parse them directly (if canit -## :bro:id:`software_version_found` will be generated instead). +## Generated when a protocol analyzer finds an identification of a software +## used on a system but cannot parse it. This is a protocol-independent event +## that is fed by different analyzers. For example, the HTTP analyzer reports +## user-agent and server software by raising this event if it cannot parse them +## directly (if it can :bro:id:`software_version_found` will be generated +## instead). ## ## c: The connection. ## ## host: The host running the reported software. ## -## descr: The raw (unparsed) software identification string as extracted from the -## protocol. +## descr: The raw (unparsed) software identification string as extracted from +## the protocol. ## ## .. bro:see:: software_version_found software_unparsed_version_found ## OS_version_found @@ -6075,7 +6188,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%); ## ## host: The host running the reported software. ## -## descr: The software identification string as extracted from the protocol. +## str: The software identification string as extracted from the protocol. ## ## .. bro:see:: software_parse_error software_version_found OS_version_found event software_unparsed_version_found%(c: connection, host: addr, str: string%); @@ -6085,14 +6198,16 @@ event software_unparsed_version_found%(c: connection, host: addr, str: string%); ## and it raises this event for each system identified. The p0f fingerprints are ## defined by :bro:id:`passive_fingerprint_file`. ## +## TODO. +## ## .. bro:see:: passive_fingerprint_file software_parse_error ## software_version_found software_unparsed_version_found ## generate_OS_version_event event OS_version_found%(c: connection, host: addr, OS: OS_version%); ## Generated when a connection to a remote Bro has been established. This event -## is intended primarily for use by Bro's communication framework, but it can also -## trigger additional code if helpful. +## is intended primarily for use by Bro's communication framework, but it can +## also trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6113,9 +6228,9 @@ event remote_connection_established%(p: event_peer%); ## remote_state_inconsistency print_hook event remote_connection_closed%(p: event_peer%); -## Generated when a remote connection's initial handshake has been completed. This -## event is intended primarily for use by Bro's communication framework, but it can -## also trigger additional code if helpful. +## Generated when a remote connection's initial handshake has been completed. +## This event is intended primarily for use by Bro's communication framework, +## but it can also trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6130,6 +6245,8 @@ event remote_connection_handshake_done%(p: event_peer%); ## ## p: A record describing the peer. ## +## name: TODO. +## ## .. bro:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_log remote_pong @@ -6137,8 +6254,8 @@ event remote_connection_handshake_done%(p: event_peer%); event remote_event_registered%(p: event_peer, name: string%); ## Generated when a connection to a remote Bro encountered an error. This event -## is intended primarily for use by Bro's communication framework, but it can also -## trigger additional code if helpful. +## is intended primarily for use by Bro's communication framework, but it can +## also trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6153,8 +6270,8 @@ event remote_connection_error%(p: event_peer, reason: string%); ## Generated when a remote peer sent us a capture filter. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6168,8 +6285,8 @@ event remote_capture_filter%(p: event_peer, filter: string%); ## Generated after a call to :bro:id:`send_state` when all data has been ## successfully sent to the remote side. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. ## ## p: A record describing the remote peer. ## @@ -6179,20 +6296,20 @@ event remote_capture_filter%(p: event_peer, filter: string%); ## remote_state_access_performed remote_state_inconsistency print_hook event finished_send_state%(p: event_peer%); -## Generated if state synchronization detects an inconsistency. While this event -## is intended primarily for use by Bro's communication framework, it can also -## trigger additional code if helpful. This event is only raised if +## Generated if state synchronization detects an inconsistency. While this +## event is intended primarily for use by Bro's communication framework, it can +## also trigger additional code if helpful. This event is only raised if ## :bro:id:`remote_check_sync_consistency` is false. ## ## operation: The textual description of the state operation performed. ## ## id: The name of the Bro script identifier that was operated on. ## -## expected_old: A textual representation of the value of *id* that was expected to -## be found before the operation was carried out. +## expected_old: A textual representation of the value of *id* that was +## expected to be found before the operation was carried out. ## -## real_old: A textual representation of the value of *id* that was actually found -## before the operation was carried out. The difference between +## real_old: A textual representation of the value of *id* that was actually +## found before the operation was carried out. The difference between ## *real_old* and *expected_old* is the inconsistency being reported. ## ## .. bro:see:: remote_capture_filter remote_connection_closed @@ -6203,13 +6320,13 @@ event remote_state_inconsistency%(operation: string, id: string, expected_old: string, real_old: string%); ## Generated for communication log messages. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. ## ## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or ## :bro:id:`REMOTE_LOG_ERROR`. ## -## src: The component of the comminication system that logged the message. +## src: The component of the communication system that logged the message. ## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's ## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or ## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). @@ -6223,8 +6340,8 @@ event remote_state_inconsistency%(operation: string, id: string, event remote_log%(level: count, src: count, msg: string%); ## Generated for communication log messages. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. This event is equivalent to +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. This event is equivalent to ## :bro:see:`remote_log` except the message is with respect to a certain peer. ## ## p: A record describing the remote peer. @@ -6232,7 +6349,7 @@ event remote_log%(level: count, src: count, msg: string%); ## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or ## :bro:id:`REMOTE_LOG_ERROR`. ## -## src: The component of the comminication system that logged the message. +## src: The component of the communication system that logged the message. ## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's ## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or ## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). @@ -6247,12 +6364,12 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## Generated when a remote peer has answered to our ping. This event is part of ## Bro's infrastructure for measuring communication latency. One can send a ping -## by calling :bro:id:`send_ping` and when a corresponding reply is received, this -## event will be raised. +## by calling :bro:id:`send_ping` and when a corresponding reply is received, +## this event will be raised. ## ## p: The peer sending us the pong. ## -## seq: The sequence number passed to the original :bro:id:`send_ping` call. +## seq: The sequence number passed to the original :bro:id:`send_ping` call. ## The number is sent back by the peer in its response. ## ## d1: The time interval between sending the ping and receiving the pong. This @@ -6263,7 +6380,7 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## ## d3: The time interval between when the peer's child process received the ## ping and when its parent process sent the pong. This is the -## processing latency at the the peer. +## processing latency at the peer. ## ## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done @@ -6272,8 +6389,8 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); event remote_pong%(p: event_peer, seq: count, d1: interval, d2: interval, d3: interval%); -## Generated each time a remote state access has been replayed locally. This event -## is primarily intended for debugging. measurments. +## Generated each time a remote state access has been replayed locally. This +## event is primarily intended for debugging. ## ## id: The name of the Bro script variable that's being operated on. ## @@ -6287,7 +6404,7 @@ event remote_state_access_performed%(id: string, v: any%); ## Generated each time Bro's internal profiling log is updated. The file is ## defined by :bro:id:`profiling_file`, and its update frequency by -## :bro:id:`profiling_interval` and :bro:id:`expensive_profiling_multiple`. +## :bro:id:`profiling_interval` and :bro:id:`expensive_profiling_multiple`. ## ## f: The profiling file. ## @@ -6299,25 +6416,25 @@ event profiling_update%(f: file, expensive: bool%); ## Generated each time Bro's script interpreter opens a file. This event is ## triggered only for files opened via :bro:id:`open`, and in particular not for -## normal log files as created by a log writers. +## normal log files as created by log writers. ## ## f: The opened file. event file_opened%(f: file%); -## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises this -## event whenever it either receives a NetFlow header on the port it's listening -## on, or reads one from a trace file. +## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow header on the port it's +## listening on, or reads one from a trace file. ## ## h: The parsed NetFlow header. ## ## .. bro:see:: netflow_v5_record event netflow_v5_header%(h: nf_v5_header%); -## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises this -## event whenever it either receives a NetFlow record on the port it's listening -## on, or reads one from a trace file. +## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow record on the port it's +## listening on, or reads one from a trace file. ## -## h: The parsed NetFlow header. +## r: The parsed NetFlow record. ## ## .. bro:see:: netflow_v5_record event netflow_v5_record%(r: nf_v5_record%); @@ -6330,15 +6447,15 @@ event netflow_v5_record%(r: nf_v5_record%); ## ## msg: The message itself. ## -## location: A (potentially empty) string describing a location associated with the -## message. +## location: A (potentially empty) string describing a location associated with +## the message. ## ## .. bro:see:: reporter_warning reporter_error Reporter::info Reporter::warning ## Reporter::error ## -## .. note:: Bro will not call reporter events recursively. If the handler of any -## reporter event triggers a new reporter message itself, the output will go to -## ``stderr`` instead. +## .. note:: Bro will not call reporter events recursively. If the handler of +## any reporter event triggers a new reporter message itself, the output +## will go to ``stderr`` instead. event reporter_info%(t: time, msg: string, location: string%) &error_handler; ## Raised for warnings reported via Bro's reporter framework. Such messages may @@ -6349,15 +6466,15 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler; ## ## msg: The warning message. ## -## location: A (potentially empty) string describing a location associated with the -## warning. +## location: A (potentially empty) string describing a location associated with +## the warning. ## ## .. bro:see:: reporter_info reporter_error Reporter::info Reporter::warning ## Reporter::error ## -## .. note:: Bro will not call reporter events recursively. If the handler of any -## reporter event triggers a new reporter message itself, the output will go to -## ``stderr`` instead. +## .. note:: Bro will not call reporter events recursively. If the handler of +## any reporter event triggers a new reporter message itself, the output +## will go to ``stderr`` instead. event reporter_warning%(t: time, msg: string, location: string%) &error_handler; ## Raised for errors reported via Bro's reporter framework. Such messages may @@ -6368,15 +6485,15 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler; ## ## msg: The error message. ## -## location: A (potentially empty) string describing a location associated with the -## error. +## location: A (potentially empty) string describing a location associated with +## the error. ## ## .. bro:see:: reporter_info reporter_warning Reporter::info Reporter::warning ## Reporter::error ## -## .. note:: Bro will not call reporter events recursively. If the handler of any -## reporter event triggers a new reporter message itself, the output will go to -## ``stderr`` instead. +## .. note:: Bro will not call reporter events recursively. If the handler of +## any reporter event triggers a new reporter message itself, the output +## will go to ``stderr`` instead. event reporter_error%(t: time, msg: string, location: string%) &error_handler; ## Raised for each policy script loaded by the script interpreter. diff --git a/testing/scripts/doc/example-diff-canonifier.py b/testing/scripts/doc/example-diff-canonifier.py deleted file mode 100755 index e0b8c110cc..0000000000 --- a/testing/scripts/doc/example-diff-canonifier.py +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/python - -import sys -import re - -# MutableVal derivatives (e.g. sets/tables) don't always generate the same -# ordering in the reST documentation, so just don't bother diffing -# the places where example.bro uses them. - -RE1 = "\d*/tcp" -RE2 = "tcp port \d*" - -for line in sys.stdin.readlines(): - if re.search(RE1, line) is None and re.search(RE2, line) is None: - print line