From 1f60c3db074d52dd71558d5fd8378b41d2f75375 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Tue, 12 Jun 2012 17:36:11 -0500 Subject: [PATCH 1/4] Fix many errors in the event documentation Fixed broken links, broken reST formatting, added missing event parameters to the documentation, removed documentation of event parameters that don't exist, corrected spelling errors, fixed some summary lines (i.e., the first line in each event description) that were truncated in the HTML, and reformatted some lines to fit within 80 columns (much easier to read the docs when using a text editor to view the source files). --- src/event.bif | 2073 ++++++++++++++++++++++++++----------------------- 1 file changed, 1095 insertions(+), 978 deletions(-) diff --git a/src/event.bif b/src/event.bif index af2381ecf6..d0418c42c9 100644 --- a/src/event.bif +++ b/src/event.bif @@ -10,7 +10,7 @@ # # - List parameters with an empty line in between. # -# - Within the description, reference other parameters of the same events +# - Within the description, reference other parameters of the same event # as *arg*. # # - Order: @@ -31,17 +31,18 @@ ## Generated at Bro initialization time. The event engine generates this ## event just before normal input processing begins. It can be used to execute ## one-time initialization code at startup. At the time a handler runs, Bro will -## have executed any global initializations and statements. +## have executed any global initializations and statements. ## ## .. bro:see:: bro_done ## ## .. note:: ## -## When a ``bro_init`` handler executes, Bro has not yet seen any input packets -## and therefore :bro:id:`network_time` is not initialized yet. An artifact -## of that is that any timer installed in a ``bro_init`` handler will fire -## immediately with the first packet. The standard way to work around that is to -## ignore the first time the timer fires and immediately reschedule. +## When a ``bro_init`` handler executes, Bro has not yet seen any input +## packets and therefore :bro:id:`network_time` is not initialized yet. An +## artifact of that is that any timer installed in a ``bro_init`` handler +## will fire immediately with the first packet. The standard way to work +## around that is to ignore the first time the timer fires and immediately +## reschedule. ## event bro_init%(%); @@ -54,13 +55,13 @@ event bro_init%(%); ## ## .. note:: ## -## If Bro terminates due to an invocation of :bro:id:`exit`, then this event is -## not generated. +## If Bro terminates due to an invocation of :bro:id:`exit`, then this event +## is not generated. event bro_done%(%); -## Generated when an internal DNS lookup reduces the same result as last time. +## Generated when an internal DNS lookup produces the same result as last time. ## Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when subsequent lookup returns +## already resolved. This event is generated when a subsequent lookup returns ## the same result as stored in the cache. ## ## dm: A record describing the new resolver result (which matches the old one). @@ -69,10 +70,11 @@ event bro_done%(%); ## dns_mapping_unverified event dns_mapping_valid%(dm: dns_mapping%); -## Generated when an internal DNS lookup got no answer even though it had succeeded he -## past. Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when a subsequent lookup does not -## produce an answer even though we have already stored a result in the cache. +## Generated when an internal DNS lookup got no answer even though it had +## succeeded in the past. Bro keeps an internal DNS cache for host names and IP +## addresses it has already resolved. This event is generated when a +## subsequent lookup does not produce an answer even though we have +## already stored a result in the cache. ## ## dm: A record describing the old resolver result. ## @@ -80,8 +82,8 @@ event dns_mapping_valid%(dm: dns_mapping%); ## dns_mapping_valid event dns_mapping_unverified%(dm: dns_mapping%); -## Generated when an internal DNS lookup succeeed but an earlier attempt not. had -## had succeeded he past. Bro keeps an internal DNS cache for host names and IP +## Generated when an internal DNS lookup succeeded but an earlier attempt +## did not. Bro keeps an internal DNS cache for host names and IP ## addresses it has already resolved. This event is generated when a subsequent ## lookup produces an answer for a query that was marked as failed in the cache. ## @@ -92,10 +94,10 @@ event dns_mapping_unverified%(dm: dns_mapping%); event dns_mapping_new_name%(dm: dns_mapping%); ## Generated when an internal DNS lookup returned zero answers even though it -## had succeeded he past. Bro keeps an internal DNS cache for host names and IP -## addresses it has already resolved. This event is generated when for a subsequent -## lookup we received answer that however was empty even though we have -## already stored a result in the cache. +## had succeeded in the past. Bro keeps an internal DNS cache for host names +## and IP addresses it has already resolved. This event is generated when +## on a subsequent lookup we receive an answer that is empty even +## though we have already stored a result in the cache. ## ## dm: A record describing the old resolver result. ## @@ -104,26 +106,26 @@ event dns_mapping_new_name%(dm: dns_mapping%); event dns_mapping_lost_name%(dm: dns_mapping%); ## Generated when an internal DNS lookup produced a different result than in -## past. Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when a subsequent lookup returns -## a different answer than we have stored in the cache. +## the past. Bro keeps an internal DNS cache for host names and IP addresses +## it has already resolved. This event is generated when a subsequent lookup +## returns a different answer than we have stored in the cache. ## ## dm: A record describing the new resolver result. ## ## old_addrs: Addresses that used to be part of the returned set for the query ## described by *dm*, but are not anymore. ## -## new_addrs: Addresses that did not use to be part of the returned set for the -## query described by *dm*, but now are. +## new_addrs: Addresses that were not part of the returned set for the query +## described by *dm*, but now are. ## ## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); -## Generated for every new connection. The event is raised with the first packet -## of a previously unknown connection. Bro uses a flow-based definition of -## "connection" here that includes not only TCP sessions but also UDP and ICMP -## flows. +## Generated for every new connection. This event is raised with the first +## packet of a previously unknown connection. Bro uses a flow-based definition +## of "connection" here that includes not only TCP sessions but also UDP and +## ICMP flows. ## ## c: The connection. ## @@ -141,7 +143,7 @@ event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr ## event. event new_connection%(c: connection%); -## Generated when reassembly starts for a TCP connection. The event is raised +## Generated when reassembly starts for a TCP connection. This event is raised ## at the moment when Bro's TCP analyzer enables stream reassembly for a ## connection. ## @@ -155,11 +157,11 @@ event new_connection%(c: connection%); ## expected_connection_seen new_connection partial_connection event new_connection_contents%(c: connection%); -## Generated for an unsuccessful connection attempt. The event is raised when an -## originator unsuccessfully attempted to establish a connection. "Unsuccessful" -## is defined as at least :bro:id:`tcp_attempt_delay` seconds having elapsed since -## the originator first sent a connection establishment packet to the destination -## without seeing a reply. +## Generated for an unsuccessful connection attempt. This event is raised when +## an originator unsuccessfully attempted to establish a connection. +## "Unsuccessful" is defined as at least :bro:id:`tcp_attempt_delay` seconds +## having elapsed since the originator first sent a connection establishment +## packet to the destination without seeing a reply. ## ## c: The connection. ## @@ -171,7 +173,7 @@ event new_connection_contents%(c: connection%); ## new_connection new_connection_contents partial_connection event connection_attempt%(c: connection%); -## Generated when a SYN-ACK packet is seen in response to SYN a packet during +## Generated when a SYN-ACK packet is seen in response to a SYN packet during ## a TCP handshake. The final ACK of the handshake in response to SYN-ACK may ## or may not occur later, one way to tell is to check the *history* field of ## :bro:type:`connection` to see if the originator sent an ACK, indicated by @@ -188,8 +190,9 @@ event connection_attempt%(c: connection%); event connection_established%(c: connection%); ## Generated for a new active TCP connection if Bro did not see the initial -## handshake. The event is raised when Bro has observed traffic from each endpoint, -## but the activity did not begin with the usual connection establishment. +## handshake. This event is raised when Bro has observed traffic from each +## endpoint, but the activity did not begin with the usual connection +## establishment. ## ## c: The connection. ## @@ -202,11 +205,11 @@ event connection_established%(c: connection%); ## event partial_connection%(c: connection%); -## Generated when a previously inactive endpoint attempts to close a TCP connection -## via a normal FIN handshake or an abort RST sequence. When the endpoint sent -## one of these packets, Bro waits :bro:id:`tcp_partial_close_delay` prior -## to generating the event, to give the other endpoint a chance to close the -## connection normally. +## Generated when a previously inactive endpoint attempts to close a TCP +## connection via a normal FIN handshake or an abort RST sequence. When the +## endpoint sent one of these packets, Bro waits +## :bro:id:`tcp_partial_close_delay` prior to generating the event, to give +## the other endpoint a chance to close the connection normally. ## ## c: The connection. ## @@ -245,9 +248,9 @@ event connection_finished%(c: connection%); ## new_connection new_connection_contents partial_connection event connection_half_finished%(c: connection%); -## Generated for a rejected TCP connection. The event is raised when an originator -## attempted to setup a TCP connection but the responder replied with a RST packet -## denying it. +## Generated for a rejected TCP connection. This event is raised when an +## originator attempted to setup a TCP connection but the responder replied +## with a RST packet denying it. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished @@ -261,9 +264,9 @@ event connection_half_finished%(c: connection%); ## .. note:: ## ## If the responder does not respond at all, :bro:id:`connection_attempt` is -## raised instead. If the responder initially accepts the connection but aborts -## it later, Bro first generates :bro:id:`connection_established` and then -## :bro:id:`connection_reset`. +## raised instead. If the responder initially accepts the connection but +## aborts it later, Bro first generates :bro:id:`connection_established` +## and then :bro:id:`connection_reset`. event connection_rejected%(c: connection%); ## Generated when an endpoint aborted a TCP connection. The event is raised @@ -296,9 +299,9 @@ event connection_pending%(c: connection%); ## Generated when a connection's internal state is about to be removed from ## memory. Bro generates this event reliably once for every connection when it ## is about to delete the internal state. As such, the event is well-suited for -## scrip-level cleanup that needs to be performed for every connection. The -## ``connection_state_remove`` event is generated not only for TCP sessions but -## also for UDP and ICMP flows. +## script-level cleanup that needs to be performed for every connection. This +## event is generated not only for TCP sessions but also for UDP and ICMP +## flows. ## ## c: The connection. ## @@ -311,8 +314,8 @@ event connection_pending%(c: connection%); ## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats event connection_state_remove%(c: connection%); -## Generated for a SYN packet. Bro raises this event for every SYN packet seen by -## its TCP analyzer. +## Generated for a SYN packet. Bro raises this event for every SYN packet seen +## by its TCP analyzer. ## ## c: The connection. ## @@ -327,14 +330,15 @@ event connection_state_remove%(c: connection%); ## ## .. note:: ## -## This event has quite low-level semantics and can potentially be expensive to -## generate. It should only be used if one really needs the specific information -## passed into the handler via the ``pkt`` argument. If not, handling one of the -## other ``connection_*`` events is typically the better approach. +## This event has quite low-level semantics and can potentially be expensive +## to generate. It should only be used if one really needs the specific +## information passed into the handler via the ``pkt`` argument. If not, +## handling one of the other ``connection_*`` events is typically the +## better approach. event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## Generated for the first ACK packet seen for a TCP connection from -## its *orginator*. +## its *originator*. ## ## c: The connection. ## @@ -350,10 +354,10 @@ event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## This event has quite low-level semantics and should be used only rarely. event connection_first_ACK%(c: connection%); -## Generated when a TCP connection timed out. This event is raised when no activity -## was seen for an interval of at least :bro:id:`tcp_connection_linger`, and -## either one endpoint has already closed the connection or one side never -## never became active. +## Generated when a TCP connection timed out. This event is raised when +## no activity was seen for an interval of at least +## :bro:id:`tcp_connection_linger`, and either one endpoint has already +## closed the connection or one side never became active. ## ## c: The connection. ## @@ -366,17 +370,17 @@ event connection_first_ACK%(c: connection%); ## ## .. note:: ## -## The precise semantics of this event can be unintuitive as it only +## The precise semantics of this event can be unintuitive as it only ## covers a subset of cases where a connection times out. Often, handling ## :bro:id:`connection_state_remove` is the better option. That one will be -## generated reliably when an interval of ``tcp_inactivity_timeout`` has passed -## with out any activity seen (but also for all other ways a connection may -## terminate). +## generated reliably when an interval of ``tcp_inactivity_timeout`` has +## passed without any activity seen (but also for all other ways a +## connection may terminate). event connection_timeout%(c: connection%); -## Generated when a connection 4-tuple is reused. The event is raised when Bro -## sees a new TCP session or UDP flow using a 4-tuple matching that of an earlier -## connection it still consideres active. +## Generated when a connection 4-tuple is reused. This event is raised when Bro +## sees a new TCP session or UDP flow using a 4-tuple matching that of an +## earlier connection it still considers active. ## ## c: The connection. ## @@ -388,8 +392,8 @@ event connection_timeout%(c: connection%); ## new_connection new_connection_contents partial_connection event connection_reused%(c: connection%); -## Generated in regular intervals during the life time of a connection. The -## events is raised each ``connection_status_update_interval`` seconds +## Generated in regular intervals during the lifetime of a connection. The +## event is raised each ``connection_status_update_interval`` seconds ## and can be used to check conditions on a regular basis. ## ## c: The connection. @@ -432,13 +436,17 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co ## new_connection new_connection_contents partial_connection event connection_EOF%(c: connection, is_orig: bool%); -## Generated for a new connection received from the communication subsystem. Remote -## peers can inject packets into Bro's packet loop, for example via :doc:`Broccoli -## `. The communication systems raises this event -## with the first packet of a connection coming in this way. +## Generated for a new connection received from the communication subsystem. +## Remote peers can inject packets into Bro's packet loop, for example via +## :doc:`Broccoli `. The communication system +## raises this event with the first packet of a connection coming in this way. +## +## c: The connection. +## +## tag: TODO. event connection_external%(c: connection, tag: string%); -## Generated when a connected is seen that has previously marked as being expected. +## Generated when a connection is seen that is marked as being expected. ## The function :bro:id:`expect_connection` tells Bro to expect a particular ## connection to come up, and which analyzer to associate with it. Once the ## first packet of such a connection is indeed seen, this event is raised. @@ -457,12 +465,12 @@ event connection_external%(c: connection, tag: string%); ## connection_state_remove connection_status_update connection_timeout ## new_connection new_connection_contents partial_connection ## -## .. todo: We don't have a good way to document the automatically generated +## .. todo:: We don't have a good way to document the automatically generated ## ``ANALYZER_*`` constants right now. event expected_connection_seen%(c: connection, a: count%); ## Generated for every packet Bro sees. This is a very low-level and expensive -## event that should be avoided when at all possible. Is's usually infeasible to +## event that should be avoided when at all possible. It's usually infeasible to ## handle when processing even medium volumes of traffic in real-time. That ## said, if you work from a trace and want to do some packet-level analysis, ## it may come in handy. @@ -475,7 +483,7 @@ event expected_connection_seen%(c: connection, a: count%); event new_packet%(c: connection, p: pkt_hdr%); ## Generated for every IPv6 packet that contains extension headers. -## This is potentially an expensive event to handle if analysiing IPv6 traffic +## This is potentially an expensive event to handle if analysing IPv6 traffic ## that happens to utilize extension headers frequently. ## ## c: The connection the packet is part of. @@ -500,26 +508,26 @@ event esp_packet%(p: pkt_hdr%); ## .. bro:see:: new_packet tcp_packet ipv6_ext_headers event mobile_ipv6_message%(p: pkt_hdr%); -## Generated for every packet that has non-empty transport-layer payload. This is a -## very low-level and expensive event that should be avoided when at all possible. -## It's usually infeasible to handle when processing even medium volumes of -## traffic in real-time. It's even worse than :bro:id:`new_packet`. That said, if -## you work from a trace and want to do some packet-level analysis, it may come in -## handy. +## Generated for every packet that has a non-empty transport-layer payload. +## This is a very low-level and expensive event that should be avoided when +## at all possible. It's usually infeasible to handle when processing even +## medium volumes of traffic in real-time. It's even worse than +## :bro:id:`new_packet`. That said, if you work from a trace and want to +## do some packet-level analysis, it may come in handy. ## ## c: The connection the packet is part of. ## -## contants: The raw transport-layer payload. +## contents: The raw transport-layer payload. ## ## .. bro:see:: new_packet tcp_packet event packet_contents%(c: connection, contents: string%); ## Generated for every TCP packet. This is a very low-level and expensive event -## that should be avoided when at all possible. It's usually infeasible to handle -## when processing even medium volumes of traffic in real-time. It's slightly -## better than :bro:id:`new_packet` because it affects only TCP, but not much. That -## said, if you work from a trace and want to do some packet-level analysis, it may -## come in handy. +## that should be avoided when at all possible. It's usually infeasible to +## handle when processing even medium volumes of traffic in real-time. It's +## slightly better than :bro:id:`new_packet` because it affects only TCP, but +## not much. That said, if you work from a trace and want to do some +## packet-level analysis, it may come in handy. ## ## c: The connection the packet is part of. ## @@ -535,8 +543,8 @@ event packet_contents%(c: connection, contents: string%); ## ## len: The length of the TCP payload, as specified in the packet header. ## -## payload: The raw TCP payload. Note that this may less than *len* if the packet -## was not fully captured. +## payload: The raw TCP payload. Note that this may be shorter than *len* if +## the packet was not fully captured. ## ## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); @@ -563,9 +571,9 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## :bro:id:`tcp_content_delivery_ports_resp`, ## :bro:id:`tcp_content_deliver_all_orig`, ## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk -## of in-order payload reconstructed from the packet stream. Note that this event -## is potentially expensive if many connections carry signficant amounts of data as -## then all that needs to be passed on to the scripting layer. +## of in-order payload reconstructed from the packet stream. Note that this +## event is potentially expensive if many connections carry significant amounts +## of data as then all that data needs to be passed on to the scripting layer. ## ## c: The connection the payload is part of. ## @@ -574,7 +582,7 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## seq: The sequence number corresponding to the first byte of the payload ## chunk. ## -## payload: The raw payload, which will be non-empty. +## contents: The raw payload, which will be non-empty. ## ## .. bro:see:: tcp_packet tcp_option tcp_rexmit ## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp @@ -590,13 +598,14 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## network-level effects such as latency, acknowledgements, reordering, etc. event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); -## Generated +## TODO. event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%); ## Generated when Bro detects a TCP retransmission inconsistency. When -## reassemling TCP stream, Bro buffers all payload until it seens the responder -## acking it. If during time, the sender resends a chunk of payload but with -## content than originally, this event will be raised. +## reassembling a TCP stream, Bro buffers all payload until it sees the +## responder acking it. If during that time, the sender resends a chunk of +## payload but with different content than originally, this event will be +## raised. ## ## c: The connection showing the inconsistency. ## @@ -607,7 +616,7 @@ event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_ ## .. bro:see:: tcp_rexmit tcp_contents event rexmit_inconsistency%(c: connection, t1: string, t2: string%); -## Generated when a TCP endpoint acknowledges payload that Bro did never see. +## Generated when a TCP endpoint acknowledges payload that Bro never saw. ## ## c: The connection. ## @@ -621,19 +630,19 @@ event rexmit_inconsistency%(c: connection, t1: string, t2: string%); ## (which isn't unheard of). In practice, one will always see a few of these ## events in any larger volume of network traffic. If there are lots of them, ## however, that typically means that there is a problem with the monitoring -## infrastructure such as a tap dropping packets, split routing on the path, or -## reordering at the tap. +## infrastructure such as a tap dropping packets, split routing on the path, +## or reordering at the tap. ## -## This event reports similar situations as :bro:id:`content_gap`, though their -## specifics differ slightly. Often, however, both will be raised for the same -## connection if some of its data is missing. We should eventually merge -## the two. +## This event reports similar situations as :bro:id:`content_gap`, though +## their specifics differ slightly. Often, however, both will be raised for +## the same connection if some of its data is missing. We should eventually +## merge the two. event ack_above_hole%(c: connection%); -## Generated when Bro detects a gap in a reassembled TCP payload stream. This event -## is raised when Bro, while reassemling a payload stream, determines that a chunk -## of payload is missing (e.g., because the responder has already acknowledged it, -## even though Bro didn't see it). +## Generated when Bro detects a gap in a reassembled TCP payload stream. This +## event is raised when Bro, while reassembling a payload stream, determines +## that a chunk of payload is missing (e.g., because the responder has already +## acknowledged it, even though Bro didn't see it). ## ## c: The connection. ## @@ -647,25 +656,26 @@ event ack_above_hole%(c: connection%); ## ## .. note:: ## -## Content gaps tend to occur occasionally for various reasons, including broken -## TCP stacks. If, however, one finds lots of them, that typically means that -## there is a problem with the monitoring infrastructure such as a tap dropping -## packets, split routing on the path, or reordering at the tap. +## Content gaps tend to occur occasionally for various reasons, including +## broken TCP stacks. If, however, one finds lots of them, that typically +## means that there is a problem with the monitoring infrastructure such as +## a tap dropping packets, split routing on the path, or reordering at the +## tap. ## ## This event reports similar situations as :bro:id:`ack_above_hole`, though ## their specifics differ slightly. Often, however, both will be raised for -## connection if some of its data is missing. We should eventually merge the -## two. +## a connection if some of its data is missing. We should eventually merge +## the two. event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); -## Summarizes the amount of missing TCP payload at regular intervals. Internally, -## Bro tracks (1) the number of :bro:id:`ack_above_hole` events, including the -## numer of bytes missing; and (2) the total number of TCP acks seen, with the -## total volume of bytes that have been acked. This event reports these statistics -## in :bro:id:`gap_report_freq` intervals for the purpose of determining packet -## loss. +## Summarizes the amount of missing TCP payload at regular intervals. +## Internally, Bro tracks (1) the number of :bro:id:`ack_above_hole` events, +## including the number of bytes missing; and (2) the total number of TCP +## acks seen, with the total volume of bytes that have been acked. This event +## reports these statistics in :bro:id:`gap_report_freq` intervals for the +## purpose of determining packet loss. ## -## dt: The time that has past since the last ``gap_report`` interval. +## dt: The time that has passed since the last ``gap_report`` interval. ## ## info: The gap statistics. ## @@ -673,17 +683,17 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); ## ## .. note:: ## -## Bro comes with a script :doc:`/scripts/policy/misc/capture-loss` that uses -## this event to estimate packet loss and report when a predefined threshold is -## exceeded. +## Bro comes with a script :doc:`/scripts/policy/misc/capture-loss` that uses +## this event to estimate packet loss and report when a predefined threshold +## is exceeded. event gap_report%(dt: interval, info: gap_info%); ## Generated when a protocol analyzer confirms that a connection is indeed ## using that protocol. Bro's dynamic protocol detection heuristically activates -## analyzers as soon as it believe a connection *could* be using a particular -## protocol. It is then left to the corresponding analyzer to verify whether that -## is indeed the case; if so, this event will be generated. +## analyzers as soon as it believes a connection *could* be using a particular +## protocol. It is then left to the corresponding analyzer to verify whether +## that is indeed the case; if so, this event will be generated. ## ## c: The connection. ## @@ -694,24 +704,24 @@ event gap_report%(dt: interval, info: gap_info%); ## ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can -## be used to reference the analyzer when using builtin functions like +## be used to reference the analyzer when using builtin functions like ## :bro:id:`disable_analyzer`. ## ## .. bro:see:: protocol_violation ## ## .. note:: ## -## Bro's default scripts use this event to determine the ``service`` column of -## :bro:type:`Conn::Info`: once confirmed, the protocol will be listed there -## (and thus in ``conn.log``). +## Bro's default scripts use this event to determine the ``service`` column +## of :bro:type:`Conn::Info`: once confirmed, the protocol will be listed +## there (and thus in ``conn.log``). event protocol_confirmation%(c: connection, atype: count, aid: count%); ## Generated when a protocol analyzer determines that a connection it is parsing -## is not conforming to the protocol it expects. Bro's dynamic protocol detection -## heuristically activates analyzers as soon as it believe a connection *could* be -## using a particular protocol. It is then left to the corresponding analyzer to -## verify whether that is indeed the case; if not, the analyzer will trigger this -## event. +## is not conforming to the protocol it expects. Bro's dynamic protocol +## detection heuristically activates analyzers as soon as it believes a +## connection *could* be using a particular protocol. It is then left to the +## corresponding analyzer to verify whether that is indeed the case; if not, +## the analyzer will trigger this event. ## ## c: The connection. ## @@ -722,20 +732,24 @@ event protocol_confirmation%(c: connection, atype: count, aid: count%); ## ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can -## be used to reference the analyzer when using builtin functions like +## be used to reference the analyzer when using builtin functions like ## :bro:id:`disable_analyzer`. ## +## reason: TODO. +## ## .. bro:see:: protocol_confirmation ## ## .. note:: ## ## Bro's default scripts use this event to disable an analyzer via -## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's however -## a script-level decision and not done automatically by the event eninge. +## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's +## however a script-level decision and not done automatically by the event +## engine. event protocol_violation%(c: connection, atype: count, aid: count, reason: string%); ## Generated for each packet sent by a UDP flow's originator. This a potentially -## expsensive event due to the volume of UDP traffic and should be used with care. +## expensive event due to the volume of UDP traffic and should be used with +## care. ## ## u: The connection record for the corresponding UDP flow. ## @@ -743,7 +757,8 @@ event protocol_violation%(c: connection, atype: count, aid: count, reason: strin event udp_request%(u: connection%); ## Generated for each packet sent by a UDP flow's responder. This a potentially -## expsensive event due to the volume of UDP traffic and should be used with care. +## expensive event due to the volume of UDP traffic and should be used with +## care. ## ## u: The connection record for the corresponding UDP flow. ## @@ -751,35 +766,40 @@ event udp_request%(u: connection%); event udp_reply%(u: connection%); ## Generated for UDP packets to pass on their payload. As the number of UDP -## packets can be very large, this event is normally raised only for those on -## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets sent -## by the flow's orgininator) or :bro:id:`udp_content_delivery_ports_resp` (for -## packets sent by the flow's responder). However, delivery can be enabled for all -## UDP request and reply packets by setting :bro:id:`udp_content_deliver_all_orig` -## or :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this event is -## also raised for all matching UDP packets, including empty ones. +## packets can be very large, this event is normally raised only for those on +## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets +## sent by the flow's originator) or :bro:id:`udp_content_delivery_ports_resp` +## (for packets sent by the flow's responder). However, delivery can be enabled +## for all UDP request and reply packets by setting +## :bro:id:`udp_content_deliver_all_orig` or +## :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this +## event is also raised for all matching UDP packets, including empty ones. ## ## u: The connection record for the corresponding UDP flow. ## ## is_orig: True if the event is raised for the originator side. ## +## contents: TODO. +## ## .. bro:see:: udp_reply udp_request udp_session_done ## udp_content_deliver_all_orig udp_content_deliver_all_resp ## udp_content_delivery_ports_orig udp_content_delivery_ports_resp event udp_contents%(u: connection, is_orig: bool, contents: string%); ## Generated when a UDP session for a supported protocol has finished. Some of -## Bro's application-layer UDP analyzers flag the end of a session by raising this -## event. Currently, the analyzers for DNS, NTP, Netbios, and Syslog support this. +## Bro's application-layer UDP analyzers flag the end of a session by raising +## this event. Currently, the analyzers for DNS, NTP, Netbios, and Syslog +## support this. ## ## u: The connection record for the corresponding UDP flow. ## ## .. bro:see:: udp_contents udp_reply udp_request event udp_session_done%(u: connection%); -## Generated for all ICMP messages that are not handled separately with dedicated -## ICMP events. Bro's ICMP analyzer handles a number of ICMP messages directly -## with dedicated events. This event acts as a fallback for those it doesn't. +## Generated for all ICMP messages that are not handled separately with +## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages +## directly with dedicated events. This event acts as a fallback for those it +## doesn't. ## ## See `Wikipedia ## `__ for more @@ -808,8 +828,8 @@ event icmp_sent%(c: connection, icmp: icmp_conn%); ## ## seq: The *echo request* sequence number. ## -## payload: The message-specific data of the packet payload, i.e., everything after -## the first 8 bytes of the ICMP header. +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. ## ## .. bro:see:: icmp_echo_reply event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); @@ -829,8 +849,8 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, ## ## seq: The *echo reply* sequence number. ## -## payload: The message-specific data of the packet payload, i.e., everything after -## the first 8 bytes of the ICMP header. +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. ## ## .. bro:see:: icmp_echo_request event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); @@ -851,8 +871,8 @@ event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, pa ## ## code: The ICMP code of the error message. ## -## context: A record with specifics of the original packet that the message refers -## to. +## context: A record with specifics of the original packet that the message +## refers to. ## ## .. bro:see:: icmp_unreachable icmp_packet_too_big ## icmp_time_exceeded icmp_parameter_problem @@ -871,10 +891,11 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: ## ## code: The ICMP code of the *unreachable* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Unreachable* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note -## that if the *unreachable* includes only a partial IP header for some reason, no +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *unreachable* +## includes only a partial IP header for some reason, no ## fields of *context* will be filled out. ## ## .. bro:see:: icmp_error_message icmp_packet_too_big @@ -894,11 +915,12 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic ## ## code: The ICMP code of the *too big* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Too big* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note -## that if the *too big* includes only a partial IP header for some reason, no -## fields of *context* will be filled out. +## context: A record with specifics of the original packet that the message +## refers to. *Too big* messages should include the original IP header +## from the packet that triggered them, and Bro parses that into +## the *context* structure. Note that if the *too big* includes only +## a partial IP header for some reason, no fields of *context* will +## be filled out. ## ## .. bro:see:: icmp_error_message icmp_unreachable ## icmp_time_exceeded icmp_parameter_problem @@ -917,11 +939,12 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: ## ## code: The ICMP code of the *exceeded* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Unreachable* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note that -## if the *exceeded* includes only a partial IP header for some reason, no fields -## of *context* will be filled out. +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *exceeded* includes +## only a partial IP header for some reason, no fields of *context* +## will be filled out. ## ## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big ## icmp_parameter_problem @@ -940,10 +963,11 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: ## ## code: The ICMP code of the *parameter problem* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Parameter problem* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note that -## if the *parameter problem* includes only a partial IP header for some reason, no fields +## context: A record with specifics of the original packet that the message +## refers to. *Parameter problem* messages should include the original +## IP header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *parameter problem* +## includes only a partial IP header for some reason, no fields ## of *context* will be filled out. ## ## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big @@ -1076,13 +1100,14 @@ event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr%); event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## Generated for unexpected activity related to a specific connection. When -## Bro's packet analysis encounters activity that does not conform to a protocol's -## specification, it raises one of the ``*_weird`` events to report that. This -## event is raised if the activity is tied directly to a specific connection. +## Bro's packet analysis encounters activity that does not conform to a +## protocol's specification, it raises one of the ``*_weird`` events to report +## that. This event is raised if the activity is tied directly to a specific +## connection. ## ## name: A unique name for the specific type of "weird" situation. Bro's default -## scripts use this name in filtering policies that specify which "weirds" are -## worth reporting. +## scripts use this name in filtering policies that specify which +## "weirds" are worth reporting. ## ## c: The corresponding connection. ## @@ -1091,20 +1116,21 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## .. bro:see:: flow_weird net_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic -## than one would intuitively expect. While in principle, any protocol violation -## could be an attack attempt, it's much more likely that an endpoint's -## implementation interprets an RFC quite liberally. +## than one would intuitively expect. While in principle, any protocol +## violation could be an attack attempt, it's much more likely that an +## endpoint's implementation interprets an RFC quite liberally. event conn_weird%(name: string, c: connection, addl: string%); ## Generated for unexpected activity related to a pair of hosts, but independent -## of a specific connection. When Bro's packet analysis encounters activity that -## does not conform to a protocol's specification, it raises one of the ``*_weird`` -## event to report that. This event is raised if the activity is related to a -## pair of hosts, yet not to a specific connection between them. +## of a specific connection. When Bro's packet analysis encounters activity +## that does not conform to a protocol's specification, it raises one of +## the ``*_weird`` events to report that. This event is raised if the activity +## is related to a pair of hosts, yet not to a specific connection between +## them. ## ## name: A unique name for the specific type of "weird" situation. Bro's default -## scripts use this name in filtering policies that specify which "weirds" are -## worth reporting. +## scripts use this name in filtering policies that specify which +## "weirds" are worth reporting. ## ## src: The source address corresponding to the activity. ## @@ -1113,47 +1139,47 @@ event conn_weird%(name: string, c: connection, addl: string%); ## .. bro:see:: conn_weird net_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic -## than one would intuitively expect. While in principle, any protocol violation -## could be an attack attempt, it's much more likely that an endpoint's -## implementation interprets an RFC quite liberally. +## than one would intuitively expect. While in principle, any protocol +## violation could be an attack attempt, it's much more likely that an +## endpoint's implementation interprets an RFC quite liberally. event flow_weird%(name: string, src: addr, dst: addr%); ## Generated for unexpected activity that is not tied to a specific connection ## or pair of hosts. When Bro's packet analysis encounters activity that ## does not conform to a protocol's specification, it raises one of the -## ``*_weird`` event to report that. This event is raised if the activity is +## ``*_weird`` events to report that. This event is raised if the activity is ## not tied directly to a specific connection or pair of hosts. ## ## name: A unique name for the specific type of "weird" situation. Bro's default -## scripts use this name in filtering policies that specify which "weirds" are -## worth reporting. +## scripts use this name in filtering policies that specify which +## "weirds" are worth reporting. ## ## .. bro:see:: flow_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic -## than one would intuitively expect. While in principle, any protocol violation -## could be an attack attempt, it's much more likely that an endpoint's -## implementation interprets an RFC quite liberally. +## than one would intuitively expect. While in principle, any protocol +## violation could be an attack attempt, it's much more likely that an +## endpoint's implementation interprets an RFC quite liberally. event net_weird%(name: string%); ## Generated regularly for the purpose of profiling Bro's processing. This event ## is raised for every :bro:id:`load_sample_freq` packet. For these packets, -## Bro records script-level functions executed during their processing as well as -## further internal locations. By sampling the processing in this form, one can -## understand where Bro spends its time. +## Bro records script-level functions executed during their processing as well +## as further internal locations. By sampling the processing in this form, one +## can understand where Bro spends its time. ## -## samples: A set with functions and locations seens during the processing of +## samples: A set with functions and locations seen during the processing of ## the sampled packet. ## -## CPU: The CPU time spent on processing the sampled. +## CPU: The CPU time spent on processing the sampled packet. ## ## dmem: The difference in memory usage caused by processing the sampled packet. event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%); ## Generated for ARP requests. ## -## See `Wikipedia `__ for -## more information about the ARP protocol. +## See `Wikipedia `__ +## for more information about the ARP protocol. ## ## mac_src: The request's source MAC address. ## @@ -1173,12 +1199,12 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, ## Generated for ARP replies. ## -## See `Wikipedia `__ for -## more information about the ARP protocol. +## See `Wikipedia `__ +## for more information about the ARP protocol. ## -## mac_src: The replies's source MAC address. +## mac_src: The reply's source MAC address. ## -## mac_dst: The replies's destination MAC address. +## mac_dst: The reply's destination MAC address. ## ## SPA: The sender protocol address. ## @@ -1192,9 +1218,9 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string%); -## Generated for ARP packets that Bro cannot interpret. Examples are packets with -## non-standard hardware address formats or hardware addresses that not match the -## originator of the packet. +## Generated for ARP packets that Bro cannot interpret. Examples are packets +## with non-standard hardware address formats or hardware addresses that do not +## match the originator of the packet. ## ## SPA: The sender protocol address. ## @@ -1216,8 +1242,8 @@ event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: stri ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive @@ -1229,8 +1255,8 @@ event bittorrent_peer_handshake%(c: connection, is_orig: bool, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1241,8 +1267,8 @@ event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1253,8 +1279,8 @@ event bittorrent_peer_choke%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1265,8 +1291,8 @@ event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive @@ -1277,8 +1303,8 @@ event bittorrent_peer_interested%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1289,8 +1315,8 @@ event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive @@ -1301,8 +1327,8 @@ event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive @@ -1313,8 +1339,8 @@ event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%) ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1326,8 +1352,8 @@ event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1339,8 +1365,8 @@ event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1352,8 +1378,8 @@ event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1364,8 +1390,8 @@ event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1377,8 +1403,8 @@ event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1389,8 +1415,8 @@ event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1402,8 +1428,8 @@ event bt_tracker_request%(c: connection, uri: string, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1417,8 +1443,8 @@ event bt_tracker_response%(c: connection, status: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1430,8 +1456,8 @@ event bt_tracker_response_not_ok%(c: connection, status: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1570,7 +1596,7 @@ event gnutella_http_notify%(c: connection%); ## Generated for Ident requests. ## -## See `Wikipedia `__ for more +## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. @@ -1589,7 +1615,7 @@ event ident_request%(c: connection, lport: port, rport: port%); ## Generated for Ident replies. ## -## See `Wikipedia `__ for more +## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. @@ -1612,7 +1638,7 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys ## Generated for Ident error replies. ## -## See `Wikipedia `__ for more +## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. @@ -1646,7 +1672,7 @@ event ident_error%(c: connection, lport: port, rport: port, line: string%); ## ## password: The password tried. ## -## line: line is the line of text that led the analyzer to conclude that the +## line: The line of text that led the analyzer to conclude that the ## authentication had failed. ## ## .. bro:see:: login_confused login_confused_text login_display login_input_line @@ -1655,14 +1681,9 @@ event ident_error%(c: connection, lport: port, rport: port, line: string%); ## login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that -## need to configured with patterns identifying login attempts. This configuration -## has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is -## therefore not directly usable at the moment. -## -## .. todo: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1685,7 +1706,7 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## ## password: The password used. ## -## line: line is the line of text that led the analyzer to conclude that the +## line: The line of text that led the analyzer to conclude that the ## authentication had succeeded. ## ## .. bro:see:: login_confused login_confused_text login_display login_failure @@ -1694,9 +1715,9 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## login_prompts login_success_msgs login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that -## need to configured with patterns identifying login attempts. This configuration -## has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is -## therefore not directly usable at the moment. +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1736,17 +1757,17 @@ event login_input_line%(c: connection, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_output_line%(c: connection, line: string%); -## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's *login* -## analyzer uses a number of heuristics to extract authentication information, it -## may become confused. If it can no longer correctly track the authentication -## dialog, it raised this event. +## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's +## *login* analyzer uses a number of heuristics to extract authentication +## information, it may become confused. If it can no longer correctly track +## the authentication dialog, it raises this event. ## ## c: The connection. ## ## msg: Gives the particular problem the heuristics detected (for example, -## ``multiple_login_prompts`` means that the engine saw several login prompts in -## a row, without the type-ahead from the client side presumed necessary to cause -## them) +## ``multiple_login_prompts`` means that the engine saw several login +## prompts in a row, without the type-ahead from the client side presumed +## necessary to cause them) ## ## line: The line of text that caused the heuristics to conclude they were ## confused. @@ -1762,9 +1783,10 @@ event login_output_line%(c: connection, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_confused%(c: connection, msg: string, line: string%); -## Generated after getting confused while tracking a Telnet/Rlogin authentication -## dialog. The *login* analyzer generates this even for every line of user input -## after it has reported :bro:id:`login_confused` for a connection. +## Generated after getting confused while tracking a Telnet/Rlogin +## authentication dialog. The *login* analyzer generates this even for every +## line of user input after it has reported :bro:id:`login_confused` for a +## connection. ## ## c: The connection. ## @@ -1781,7 +1803,7 @@ event login_confused%(c: connection, msg: string, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_confused_text%(c: connection, line: string%); -## Generated for clients transmitting a terminal type in an Telnet session. This +## Generated for clients transmitting a terminal type in a Telnet session. This ## information is extracted out of environment variables sent as Telnet options. ## ## c: The connection. @@ -1797,12 +1819,12 @@ event login_confused_text%(c: connection, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_terminal%(c: connection, terminal: string%); -## Generated for clients transmitting a X11 DISPLAY in a Telnet session. This +## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This ## information is extracted out of environment variables sent as Telnet options. ## ## c: The connection. ## -## terminal: The DISPLAY transmitted. +## display: The DISPLAY transmitted. ## ## .. bro:see:: login_confused login_confused_text login_failure login_input_line ## login_output_line login_prompt login_success login_terminal @@ -1813,10 +1835,10 @@ event login_terminal%(c: connection, terminal: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_display%(c: connection, display: string%); -## Generated when a Telnet authentication has been successful. The Telnet protocol -## includes options for negotiating authentication. When such an option is sent -## from client to server and the server replies that it accepts the authentication, -## then the event engine generates this event. +## Generated when a Telnet authentication has been successful. The Telnet +## protocol includes options for negotiating authentication. When such an +## option is sent from client to server and the server replies that it accepts +## the authentication, then the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1827,8 +1849,9 @@ event login_display%(c: connection, display: string%); ## ## .. bro:see:: authentication_rejected authentication_skipped login_success ## -## .. note:: This event inspects the corresponding Telnet option while :bro:id:`login_success` -## heuristically determines success by watching session data. +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines success by watching +## session data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1838,8 +1861,8 @@ event authentication_accepted%(name: string, c: connection%); ## Generated when a Telnet authentication has been unsuccessful. The Telnet ## protocol includes options for negotiating authentication. When such an option -## is sent from client to server and the server replies that it did not accept the -## authentication, then the event engine generates this event. +## is sent from client to server and the server replies that it did not accept +## the authentication, then the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1850,9 +1873,9 @@ event authentication_accepted%(name: string, c: connection%); ## ## .. bro:see:: authentication_accepted authentication_skipped login_failure ## -## .. note:: This event inspects the corresponding Telnet option while :bro:id:`login_success` -## heuristically determines failure by watching session -## data. +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines failure by watching +## session data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1860,7 +1883,7 @@ event authentication_accepted%(name: string, c: connection%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event authentication_rejected%(name: string, c: connection%); -## Generated when for Telnet/Rlogin sessions when a pattern match indicates +## Generated for Telnet/Rlogin sessions when a pattern match indicates ## that no authentication is performed. ## ## See `Wikipedia `__ for more information @@ -1873,9 +1896,9 @@ event authentication_rejected%(name: string, c: connection%); ## login_success_msgs login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying actvity. This configuration has -## not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore -## not directly usable at the moment. +## need to be configured with patterns identifying activity. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1883,15 +1906,16 @@ event authentication_rejected%(name: string, c: connection%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event authentication_skipped%(c: connection%); -## Generated for clients transmitting a terminal prompt in a Telnet session. This -## information is extracted out of environment variables sent as Telnet options. +## Generated for clients transmitting a terminal prompt in a Telnet session. +## This information is extracted out of environment variables sent as Telnet +## options. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## ## c: The connection. ## -## terminal: The TTYPROMPT transmitted. +## prompt: The TTYPROMPT transmitted. ## ## .. bro:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_success login_terminal @@ -1902,9 +1926,9 @@ event authentication_skipped%(c: connection%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_prompt%(c: connection, prompt: string%); -## Generated for Telnet sessions when encryption is activated. The Telnet protoco; -## includes options for negotiating encryption. When such a series of options is -## successfully negotiated, the event engine generates this event. +## Generated for Telnet sessions when encryption is activated. The Telnet +## protocol includes options for negotiating encryption. When such a series of +## options is successfully negotiated, the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1916,13 +1940,13 @@ event login_prompt%(c: connection, prompt: string%); ## login_output_line login_prompt login_success login_terminal event activating_encryption%(c: connection%); -## Generated for inconsistent Telnet options observed. Telnet options are specified -## by the client and server stating which options they are willing to support -## vs. which they are not, and then instructing one another which in fact they -## should or should not use for the current connection. If the event engine sees -## a peer violate either what the other peer has instructed it to do, or what it -## itself offered in terms of options in the past, then the engine generates an -## inconsistent_option event. +## Generated for an inconsistent Telnet option. Telnet options are specified +## by the client and server stating which options they are willing to +## support vs. which they are not, and then instructing one another which in +## fact they should or should not use for the current connection. If the event +## engine sees a peer violate either what the other peer has instructed it to +## do, or what it itself offered in terms of options in the past, then the +## engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1958,6 +1982,8 @@ event bad_option%(c: connection%); ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## +## c: The connection. +## ## .. bro:see:: inconsistent_option bad_option authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line @@ -1971,15 +1997,15 @@ event bad_option_termination%(c: connection%); ## Generated for client side commands on an RSH connection. ## -## See `RFC 1258 `__ for more information about -## the Rlogin/Rsh protocol. +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. ## ## c: The connection. ## ## client_user: The client-side user name as sent in the initial protocol ## handshake. ## -## client_user: The server-side user name as sent in the initial protocol +## server_user: The server-side user name as sent in the initial protocol ## handshake. ## ## line: The command line sent in the request. @@ -1990,8 +2016,8 @@ event bad_option_termination%(c: connection%); ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## -## .. note: For historical reasons, these events are separate from the ``login_`` -## events. Ideally, they would all be handled uniquely. +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -2001,27 +2027,25 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line ## Generated for client side commands on an RSH connection. ## -## See `RFC 1258 `__ for more information about -## the Rlogin/Rsh protocol. +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. ## ## c: The connection. ## ## client_user: The client-side user name as sent in the initial protocol ## handshake. ## -## client_user: The server-side user name as sent in the initial protocol +## server_user: The server-side user name as sent in the initial protocol ## handshake. ## ## line: The command line sent in the request. ## -## new_session: True if this is the first command of the Rsh session. -## ## .. bro:see:: rsh_request login_confused login_confused_text login_display ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## -## .. note: For historical reasons, these events are separate from the ``login_`` -## events. Ideally, they would all be handled uniquely. +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -2031,8 +2055,8 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line: ## Generated for client-side FTP commands. ## -## See `Wikipedia `__ for more -## information about the FTP protocol. +## See `Wikipedia `__ for +## more information about the FTP protocol. ## ## c: The connection. ## @@ -2046,8 +2070,8 @@ event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; ## Generated for server-side FTP replies. ## -## See `Wikipedia `__ for more -## information about the FTP protocol. +## See `Wikipedia `__ for +## more information about the FTP protocol. ## ## c: The connection. ## @@ -2055,9 +2079,10 @@ event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; ## ## msg: The textual message of the response. ## -## cont_resp: True if the reply line is tagged as being continued to the next line. -## If so, further events will be raised and a handler may want to reassemle the -## pieces before processing the response any further. +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want +## to reassemble the pieces before processing the response any +## further. ## ## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port @@ -2071,10 +2096,11 @@ event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &gro ## c: The connection. ## ## is_orig: True if the sender of the command is the originator of the TCP -## connection. Note that this is not redundant: the SMTP ``TURN`` command allows -## client and server to flip roles on established SMTP sessions, and hence a -## "request" might still come from the TCP-level responder. In practice, however, -## that will rarely happen as TURN is considered insecure and rarely used. +## connection. Note that this is not redundant: the SMTP ``TURN`` command +## allows client and server to flip roles on established SMTP sessions, +## and hence a "request" might still come from the TCP-level responder. +## In practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. ## ## command: The request's command, without any arguments. ## @@ -2098,16 +2124,18 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) ## connection. Note that this is not redundant: the SMTP ``TURN`` command ## allows client and server to flip roles on established SMTP sessions, ## and hence a "reply" might still come from the TCP-level originator. In -## practice, however, that will rarely happen as TURN is considered insecure -## and rarely used. +## practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. ## ## code: The reply's numerical code. ## +## cmd: TODO. +## ## msg: The reply's textual description. ## -## cont_resp: True if the reply line is tagged as being continued to the next line. -## If so, further events will be raised and a handler may want to reassemle the -## pieces before processing the response any further. +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want to +## reassemble the pieces before processing the response any further. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data @@ -2118,7 +2146,7 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s ## Generated for DATA transmitted on SMTP sessions. This event is raised for ## subsequent chunks of raw data following the ``DATA`` SMTP command until the -## corresponding end marker ``.`` is seen. A handler may want to reassembly +## corresponding end marker ``.`` is seen. A handler may want to reassemble ## the pieces as they come in if stream-analysis is required. ## ## See `Wikipedia `__ @@ -2136,23 +2164,23 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_reply smtp_request skip_smtp_data ## -## .. note:: This event received the unprocessed raw data. There is a separate -## set ``mime_*`` events that strip out the outer MIME-layer of emails and provide -## structured access to their content. +## .. note:: This event receives the unprocessed raw data. There is a separate +## set of ``mime_*`` events that strip out the outer MIME-layer of emails and +## provide structured access to their content. event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; -## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks the -## state of SMTP sessions and reports commands and other activity with this event -## that it sees even though it would not expect so at the current point of the -## communication. +## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks +## the state of SMTP sessions and reports commands and other activity with this +## event that it sees even though it would not expect so at the current point +## of the communication. ## ## See `Wikipedia `__ ## for more information about the SMTP protocol. ## ## c: The connection. ## -## is_orig: True if the sender of the unexpected activity is the originator of the -## TCP connection. +## is_orig: True if the sender of the unexpected activity is the originator of +## the TCP connection. ## ## msg: A descriptive message of what was unexpected. ## @@ -2161,14 +2189,14 @@ event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; ## .. bro:see:: smtp_data smtp_request smtp_reply event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp"; -## Generated when starting to parse a email MIME entity. MIME is a +## Generated when starting to parse an email MIME entity. MIME is a ## protocol-independent data format for encoding text and files, along with -## corresponding meta-data, for transmission. Bro raises this event when it begin -## parsing a MIME entity extracted from an email protocol. +## corresponding metadata, for transmission. Bro raises this event when it +## begins parsing a MIME entity extracted from an email protocol. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2176,18 +2204,18 @@ event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_begin_entity ## -## .. note:: Bro also extracts MIME entities from HTTP session. For those, however, -## it raises :bro:id:`http_begin_entity` instead. +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_begin_entity` instead. event mime_begin_entity%(c: connection%); -## Generated when finishing parsing an email MIME entity. MIME is a +## Generated when finishing parsing an email MIME entity. MIME is a ## protocol-independent data format for encoding text and files, along with -## corresponding meta-data, for transmission. Bro raises this event when it +## corresponding metadata, for transmission. Bro raises this event when it ## finished parsing a MIME entity extracted from an email protocol. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2195,17 +2223,17 @@ event mime_begin_entity%(c: connection%); ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_end_entity ## -## .. note:: Bro also extracts MIME entities from HTTP session. For those, however, -## it raises :bro:id:`http_end_entity` instead. +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_end_entity` instead. event mime_end_entity%(c: connection%); ## Generated for individual MIME headers extracted from email MIME ## entities. MIME is a protocol-independent data format for encoding text and -## files, along with corresponding meta-data, for transmission. +## files, along with corresponding metadata, for transmission. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2215,44 +2243,45 @@ event mime_end_entity%(c: connection%); ## mime_end_entity mime_entity_data mime_event mime_segment_data ## http_header http_all_headers ## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, -## it raises :bro:id:`http_header` instead. +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. event mime_one_header%(c: connection, h: mime_header_rec%); ## Generated for MIME headers extracted from email MIME entities, passing all -## headers at once. MIME is a protocol-independent data format for encoding text -## and files, along with corresponding meta-data, for transmission. +## headers at once. MIME is a protocol-independent data format for encoding +## text and files, along with corresponding metadata, for transmission. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## ## hlist: A *table* containing all headers extracted from the current entity. -## The table is indexed by the position of the header (1 for the first, 2 for the -## second, etc.). +## The table is indexed by the position of the header (1 for the first, +## 2 for the second, etc.). ## ## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## http_header http_all_headers ## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, -## it raises :bro:id:`http_header` instead. +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. event mime_all_headers%(c: connection, hlist: mime_header_list%); -## Generated for chunks of decoded MIME data from email MIME entities. MIME +## Generated for chunks of decoded MIME data from email MIME entities. MIME ## is a protocol-independent data format for encoding text and files, along with -## corresponding meta-data, for transmission. As Bro parses the data of an entity, -## it raises a sequence of these events, each coming as soon as a new chunk of -## data is available. In contrast, there is also :bro:id:`mime_entity_data`, which -## passes all of an entities data at once in a single block. While the latter is -## more convinient to handle, ``mime_segment_data`` is more efficient as Bro does -## not need to buffer the data. Thus, if possible, this event should be prefered. +## corresponding metadata, for transmission. As Bro parses the data of an +## entity, it raises a sequence of these events, each coming as soon as a new +## chunk of data is available. In contrast, there is also +## :bro:id:`mime_entity_data`, which passes all of an entities data at once +## in a single block. While the latter is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer +## the data. Thus, if possible, this event should be preferred. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2264,20 +2293,20 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%); ## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data ## mime_segment_length mime_segment_overlap_length ## -## .. note:: Bro also extracts MIME data from HTTP sessions. For those, however, it -## raises :bro:id:`http_entity_data` (sic!) instead. +## .. note:: Bro also extracts MIME data from HTTP sessions. For those, +## however, it raises :bro:id:`http_entity_data` (sic!) instead. event mime_segment_data%(c: connection, length: count, data: string%); ## Generated for data decoded from an email MIME entity. This event delivers ## the complete content of a single MIME entity. In contrast, there is also ## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as -## they. come in. While ``mime_entity_data`` is more convinient to handle, -## ``mime_segment_data`` is more efficient as Bro does not need to buffer the data. -## Thus, if possible, the latter should be prefered. +## they come in. While ``mime_entity_data`` is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer the +## data. Thus, if possible, the latter should be preferred. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2292,15 +2321,15 @@ event mime_segment_data%(c: connection, length: count, data: string%); ## sessions, there's no corresponding event for that currently. event mime_entity_data%(c: connection, length: count, data: string%); -## Generated for passing on all data decoded from an single email MIME +## Generated for passing on all data decoded from a single email MIME ## message. If an email message has more than one MIME entity, this event ## combines all their data into a single value for analysis. Note that because ## of the potentially significant buffering necessary, using this event can be ## expensive. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2315,35 +2344,37 @@ event mime_entity_data%(c: connection, length: count, data: string%); ## sessions, there's no corresponding event for that currently. event mime_all_data%(c: connection, length: count, data: string%); -## Generated for errors found when decoding email MIME entities. +## Generated for errors found when decoding email MIME entities. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## -## event_type: A string describing the general category of the problem found (e.g., -## ``illegal format``). +## c: The connection. +## +## event_type: A string describing the general category of the problem found +## (e.g., ``illegal format``). ## ## detail: Further more detailed description of the error. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event ## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, -## it raises :bro:id:`http_event` instead. +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_event` instead. event mime_event%(c: connection, event_type: string, detail: string%); -## Generated for decoded MIME entities extracted from email meessage, passing on +## Generated for decoded MIME entities extracted from email messages, passing on ## their MD5 checksums. Bro computes the MD5 over the complete decoded data of ## each MIME entity. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## -## content_len: The length of entity being hashed. +## content_len: The length of the entity being hashed. ## ## hash_value: The MD5 hash. ## @@ -2355,15 +2386,15 @@ event mime_event%(c: connection, event_type: string, detail: string%); event mime_content_hash%(c: connection, content_len: count, hash_value: string%); ## Generated for RPC request/reply *pairs*. The RPC analyzer associates request -## and reply by their transactions identifiers and raise this event once both -## have been seen. If there's not reply, the will still be generated eventually -## on timeout. In that case, *status* will be set to :bro:enum:`RPC_TIMEOUT`. +## and reply by their transaction identifiers and raises this event once both +## have been seen. If there's not a reply, this event will still be generated +## eventually on timeout. In that case, *status* will be set to +## :bro:enum:`RPC_TIMEOUT`. ## ## See `Wikipedia `__ for more information ## about the ONC RPC protocol. -## c: The connection. ## -## xid: The transaction identifier allowing to match requests with replies. +## c: The connection. ## ## prog: The remote program to call. ## @@ -2374,7 +2405,7 @@ event mime_content_hash%(c: connection, content_len: count, hash_value: string%) ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## -## start_time: Then time when the *call* was seen. +## start_time: The time when the *call* was seen. ## ## call_len: The size of the *call_body* PDU. ## @@ -2441,7 +2472,8 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count ## Generated for Portmapper requests of type *null*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## @@ -2459,14 +2491,16 @@ event pm_request_null%(r: connection%); ## Generated for Portmapper request/reply dialogues of type *set*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## ## m: The argument to the request. ## ## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request times out. +## reply. If no reply was seen, this will be false once the request +## times out. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit @@ -2482,14 +2516,16 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *unset*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## ## m: The argument to the request. ## ## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request times out. +## reply. If no reply was seen, this will be false once the request +## times out. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit @@ -2505,7 +2541,8 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *getport*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## @@ -2513,9 +2550,6 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## ## p: The port returned by the server. ## -## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request times out. -## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit ## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call @@ -2530,7 +2564,8 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## Generated for Portmapper request/reply dialogues of type *dump*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## @@ -2555,7 +2590,7 @@ event pm_request_dump%(r: connection, m: pm_mappings%); ## ## r: The RPC connection. ## -## m: The argument to the request. +## call: The argument to the request. ## ## p: The port value returned by the call. ## @@ -2711,9 +2746,9 @@ event pm_attempt_dump%(r: connection, status: rpc_status%); event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); ## Generated for Portmapper requests or replies that include an invalid port -## number. Since ports are represented by unsigned 4-byte integers, they can stray -## outside the allowed range of 0--65535 by being >= 65536. If so, this event is -## generated. +## number. Since ports are represented by unsigned 4-byte integers, they can +## stray outside the allowed range of 0--65535 by being >= 65536. If so, this +## event is generated. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the @@ -2735,8 +2770,8 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ event pm_bad_port%(r: connection, bad_p: count%); ## Generated for NFSv3 request/reply dialogues of type *null*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2758,8 +2793,8 @@ event pm_bad_port%(r: connection, bad_p: count%); event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2769,8 +2804,10 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## ## info: Reports the status of the dialogue, along with some meta information. ## -## attr: The attributes returned in the reply. The values may not be valid if the -## request was unsuccessful. +## fh: TODO. +## +## attrs: The attributes returned in the reply. The values may not be valid if +## the request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir @@ -2784,8 +2821,8 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%); event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); ## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2812,8 +2849,8 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *read*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2840,8 +2877,8 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2868,8 +2905,8 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *write*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2879,7 +2916,7 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2897,8 +2934,8 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *create*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2908,7 +2945,7 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2925,8 +2962,8 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2936,7 +2973,7 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2953,8 +2990,8 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *remove*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2964,7 +3001,7 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2981,8 +3018,8 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2992,7 +3029,7 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -3009,8 +3046,8 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -3020,7 +3057,7 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -3036,8 +3073,8 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); -## Generated for NFS3 request/reply dialogues of a type that Bro's NFS3 analyzer -## does not implement. +## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 +## analyzer does not implement. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -3059,9 +3096,11 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); -## Generated for each NFS3 reply message received, reporting just the +## Generated for each NFSv3 reply message received, reporting just the ## status included. ## +## n: The connection. +## ## info: Reports the status included in the reply. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir @@ -3075,11 +3114,11 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_reply_status%(n: connection, info: NFS3::info_t%); -## Generated for all NTP messages. Different from many other of Bro's events, this -## one is generated for both client-side and server-side messages. +## Generated for all NTP messages. Different from many other of Bro's events, +## this one is generated for both client-side and server-side messages. ## -## See `Wikipedia `__ for more -## information about the NTP protocol. +## See `Wikipedia `__ for +## more information about the NTP protocol. ## ## u: The connection record describing the corresponding UDP flow. ## @@ -3096,21 +3135,21 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event ntp_message%(u: connection, msg: ntp_msg, excess: string%); -## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer processes -## the NetBIOS session service running on TCP port 139, and (despite its name!) the -## NetBIOS datagram service on UDP port 138. +## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## is_orig: True if the message was sent by the originator of the connection. ## -## msg_type: The general type of message, as defined in Section 4.3.1 of `RFC 1002 -## `__. +## msg_type: The general type of message, as defined in Section 4.3.1 of +## `RFC 1002 `__. ## ## data_len: The length of the message's payload. ## @@ -3119,8 +3158,8 @@ event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3128,15 +3167,15 @@ event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); -## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite its -## name!) the NetBIOS datagram service on UDP port 138. +## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS +## analyzer processes the NetBIOS session service running on TCP port 139, and +## (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS @@ -3147,8 +3186,8 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3157,14 +3196,14 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da event netbios_session_request%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *positive session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, -## and (despite its name!) the NetBIOS datagram service on UDP port 138. +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS @@ -3175,8 +3214,8 @@ event netbios_session_request%(c: connection, msg: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3185,14 +3224,14 @@ event netbios_session_request%(c: connection, msg: string%); event netbios_session_accepted%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *negative session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, -## and (despite its name!) the NetBIOS datagram service on UDP port 138. +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS @@ -3203,8 +3242,8 @@ event netbios_session_accepted%(c: connection, msg: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3212,17 +3251,17 @@ event netbios_session_accepted%(c: connection, msg: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_rejected%(c: connection, msg: string%); -## Generated for NetBIOS message of type *session message* that are not carrying -## SMB payload. +## Generated for NetBIOS messages of type *session message* that are not +## carrying an SMB payload. ## -## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, -## and (despite its name!) the NetBIOS datagram service on UDP port 138. +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## is_orig: True if the message was sent by the originator of the connection. @@ -3235,11 +3274,11 @@ event netbios_session_rejected%(c: connection, msg: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## -## .. todo:: This is an oddly named event. In fact, it's probably an odd event to -## have to begin with. +## .. todo:: This is an oddly named event. In fact, it's probably an odd event +## to have to begin with. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3255,20 +3294,21 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## -## msg: The raw payload of the message sent, excluding the common NetBIOS header. +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. ## ## .. bro:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_rejected ## netbios_session_request decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## -## .. todo: This is an oddly named event. +## .. todo:: This is an oddly named event. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3277,25 +3317,26 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite its -## name!) the NetBIOS datagram service on UDP port 138. +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## -## msg: The raw payload of the message sent, excluding the common NetBIOS header. +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. ## ## .. bro:see:: netbios_session_accepted netbios_session_message ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3305,9 +3346,9 @@ event netbios_session_keepalive%(c: connection, msg: string%); ## Generated for all SMB/CIFS messages. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3316,7 +3357,7 @@ event netbios_session_keepalive%(c: connection, msg: string%); ## is_orig: True if the message was sent by the originator of the underlying ## transport-level connection. ## -## cmd: A string mmenonic of the SMB command code. +## cmd: A string mnemonic of the SMB command code. ## ## body_length: The length of the SMB message body, i.e. the data starting after ## the SMB header. @@ -3338,15 +3379,15 @@ event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body ## Generated for SMB/CIFS messages of type *tree connect andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## -## path: The ``path`` attribute specified in the message. +## path: The ``path`` attribute specified in the message. ## ## service: The ``service`` attribute specified in the message. ## @@ -3365,16 +3406,14 @@ event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, serv ## Generated for SMB/CIFS messages of type *tree disconnect*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## -## path: The ``path`` attribute specified in the message. -## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot @@ -3390,15 +3429,15 @@ event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *nt create andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## -## name: The ``name`` attribute specified in the message. +## name: The ``name`` attribute specified in the message. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_read_andx @@ -3415,9 +3454,9 @@ event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); ## Generated for SMB/CIFS messages of type *nt transaction*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3444,9 +3483,9 @@ event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## Generated for SMB/CIFS messages of type *nt transaction 2*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3473,9 +3512,9 @@ event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## Generated for SMB/CIFS messages of type *transaction mailslot*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3502,9 +3541,9 @@ event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, dat ## Generated for SMB/CIFS messages of type *transaction rap*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3531,9 +3570,9 @@ event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: sm ## Generated for SMB/CIFS messages of type *transaction pipe*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3560,9 +3599,9 @@ event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: s ## Generated for SMB/CIFS messages of type *read andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3570,8 +3609,6 @@ event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: s ## ## data: Always empty. ## -## is_orig: True if the message was sent by the originator of the connection. -## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap @@ -3587,9 +3624,9 @@ event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *read andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3597,8 +3634,6 @@ event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## ## data: Always empty. ## -## is_orig: True if the message was sent by the originator of the connection. -## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot @@ -3614,9 +3649,9 @@ event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *get dfs referral*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3642,9 +3677,9 @@ event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: cou ## Generated for SMB/CIFS messages of type *negotiate*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3664,9 +3699,9 @@ event smb_com_negotiate%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *negotiate response*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3688,9 +3723,9 @@ event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: co ## Generated for SMB/CIFS messages of type *setup andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3711,9 +3746,9 @@ event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *generic andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3734,9 +3769,9 @@ event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *close*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3757,9 +3792,9 @@ event smb_com_close%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *logoff andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3778,8 +3813,8 @@ event smb_com_close%(c: connection, hdr: smb_hdr%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); -## Generated for SMB/CIFS messages that indicate an error. This event is triggered -## by an SMB header including a status that signals an error. +## Generated for SMB/CIFS messages that indicate an error. This event is +## triggered by an SMB header including a status that signals an error. ## ## c: The connection. ## @@ -3787,9 +3822,9 @@ event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); ## ## cmd: The SMB command code. ## -## cmd_str: A string mmenonic of the SMB command code. +## cmd_str: A string mnemonic of the SMB command code. ## -## body: The raw SMB message body, i.e., the data starting after the SMB header. +## data: The raw SMB message body, i.e., the data starting after the SMB header. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx @@ -3807,7 +3842,8 @@ event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: ## Generated for all DNS messages. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3816,7 +3852,7 @@ event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: ## ## msg: The parsed DNS message header. ## -## len: The length of the message's raw representation (i.e, the DNS payload). +## len: The length of the message's raw representation (i.e., the DNS payload). ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -3831,7 +3867,8 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &gro ## is raised once for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3855,11 +3892,12 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl ## Generated for DNS replies that reject a query. This event is raised if a DNS ## reply either indicates failure via its status code or does not pass on any -## answers to a query. Note that all of the event's paramaters are parsed out of +## answers to a query. Note that all of the event's parameters are parsed out of ## the reply; there's no stateful correlation with the query. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3884,7 +3922,8 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc ## Generated for DNS replies with an *ok* status code but no question section. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3907,7 +3946,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc event dns_query_reply%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; -## Generated when the DNS analyzer processes what seems to be a non-DNS packets. +## Generated when the DNS analyzer processes what seems to be a non-DNS packet. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3922,7 +3961,8 @@ event non_dns_request%(c: connection, msg: string%) &group="dns"; ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3942,11 +3982,12 @@ event non_dns_request%(c: connection, msg: string%) &group="dns"; ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns"; -## Generated for DNS replies of type *AAAA*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *AAAA*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3970,7 +4011,8 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &g ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3994,7 +4036,8 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &gro ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4018,7 +4061,8 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4042,7 +4086,8 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4066,7 +4111,8 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4075,7 +4121,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## ## ans: The type-independent part of the parsed answer record. ## -## soa: The parsed SOA value +## soa: The parsed SOA value. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply @@ -4086,11 +4132,12 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns"; -## Generated for DNS replies of type *WKS*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *WKS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4108,11 +4155,12 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa% ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; -## Generated for DNS replies of type *HINFO*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *HINFO*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4121,8 +4169,6 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns" ## ## ans: The type-independent part of the parsed answer record. ## -## name: The name returned by the reply. -## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered @@ -4136,7 +4182,8 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4147,7 +4194,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn ## ## name: The name returned by the reply. ## -## preference: The preference for *name* specificed by the reply. +## preference: The preference for *name* specified by the reply. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply @@ -4158,11 +4205,12 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns"; -## Generated for DNS replies of type *TXT*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *TXT*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4182,11 +4230,12 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns"; -## Generated for DNS replies of type *SRV*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *SRV*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4204,11 +4253,12 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; -## Generated for DNS replies of type *EDNS*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *EDNS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4226,11 +4276,12 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns" ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns"; -## Generated for DNS replies of type *TSIG*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *TSIG*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4253,7 +4304,8 @@ event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &gr ## all resource records have been passed on. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4272,12 +4324,12 @@ event dns_end%(c: connection, msg: dns_msg%) &group="dns"; ## Generated for DHCP messages of type *discover*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## req_addr: The specific address requested by the client. ## @@ -4289,9 +4341,9 @@ event dns_end%(c: connection, msg: dns_msg%) &group="dns"; ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4302,16 +4354,18 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## Generated for DHCP messages of type *offer*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## mask: The subnet mask specified by the mesage. +## msg: TODO. +## +## mask: The subnet mask specified by the message. ## ## router: The list of routers specified by the message. ## -## lease: The least interval specificed by the message. +## lease: The least interval specified by the message. ## ## serv_addr: The server address specified by the message. ## @@ -4322,9 +4376,9 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4335,12 +4389,12 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_ ## Generated for DHCP messages of type *request*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## req_addr: The client address specified by the message. ## @@ -4353,9 +4407,9 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_ ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4366,12 +4420,12 @@ event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: add ## Generated for DHCP messages of type *decline*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4380,9 +4434,9 @@ event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: add ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4393,18 +4447,18 @@ event dhcp_decline%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *acknowledgment*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## -## mask: The subnet mask specified by the mesage. +## mask: The subnet mask specified by the message. ## ## router: The list of routers specified by the message. ## -## lease: The least interval specificed by the message. +## lease: The least interval specified by the message. ## ## serv_addr: The server address specified by the message. ## @@ -4415,9 +4469,9 @@ event dhcp_decline%(c: connection, msg: dhcp_msg%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4428,12 +4482,12 @@ event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_li ## Generated for DHCP messages of type *negative acknowledgment*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4442,9 +4496,9 @@ event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_li ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4455,12 +4509,12 @@ event dhcp_nak%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *release*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4469,9 +4523,9 @@ event dhcp_nak%(c: connection, msg: dhcp_msg%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4482,12 +4536,12 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *inform*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4496,9 +4550,9 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4506,13 +4560,13 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dhcp_inform%(c: connection, msg: dhcp_msg%); -## Generated for HTTP requests. Bro supports persistent and pipelined HTTP sessions -## and raises corresponding events as it parses client/server dialogues. This event -## is generated as soon as a request's initial line has been parsed, and before any -## :bro:id:`http_header` events are raised. +## Generated for HTTP requests. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. This event is generated as soon as a request's initial line has +## been parsed, and before any :bro:id:`http_header` events are raised. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## @@ -4529,13 +4583,13 @@ event dhcp_inform%(c: connection, msg: dhcp_msg%); ## truncate_http_URI event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request"; -## Generated for HTTP replies. Bro supports persistent and pipelined HTTP sessions -## and raises corresponding events as it parses client/server dialogues. This event -## is generated as soon as a reply's initial line has been parsed, and before any -## :bro:id:`http_header` events are raised. +## Generated for HTTP replies. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. This event is generated as soon as a reply's initial line has +## been parsed, and before any :bro:id:`http_header` events are raised. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## @@ -4550,11 +4604,12 @@ event http_request%(c: connection, method: string, original_URI: string, unescap ## http_stats event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply"; -## Generated for HTTP headers. Bro supports persistent and pipelined HTTP sessions -## and raises corresponding events as it parses client/server dialogues. +## Generated for HTTP headers. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## @@ -4568,41 +4623,44 @@ event http_reply%(c: connection, version: string, code: count, reason: string%) ## http_entity_data http_event http_message_done http_reply http_request ## http_stats ## -## .. note:: This event is also raised for headers found in nested body entities. +## .. note:: This event is also raised for headers found in nested body +## entities. event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header"; -## Generated for HTTP headers, passing on all headers of an HTTP message at once. -## Bro supports persistent and pipelined HTTP sessions and raises corresponding -## events as it parses client/server dialogues. +## Generated for HTTP headers, passing on all headers of an HTTP message at +## once. Bro supports persistent and pipelined HTTP sessions and raises +## corresponding events as it parses client/server dialogues. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## ## is_orig: True if the header was sent by the originator of the TCP connection. ## ## hlist: A *table* containing all headers extracted from the current entity. -## The table is indexed by the position of the header (1 for the first, 2 for the -## second, etc.). +## The table is indexed by the position of the header (1 for the first, +## 2 for the second, etc.). ## ## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## -## .. note:: This event is also raised for headers found in nested body entities. +## .. note:: This event is also raised for headers found in nested body +## entities. event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header"; -## Generated when starting to parse an HTTP body entity. This event is generated -## at least once for each non-empty (client or server) HTTP body; and potentially -## more than once if the body contains further nested MIME entities. Bro raises -## this event just before it starts parsing each entity's content. +## Generated when starting to parse an HTTP body entity. This event is generated +## at least once for each non-empty (client or server) HTTP body; and +## potentially more than once if the body contains further nested MIME +## entities. Bro raises this event just before it starts parsing each entity's +## content. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data @@ -4610,17 +4668,18 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) ## mime_begin_entity event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; -## Generated when finishing parsing an HTTP body entity. This event is generated -## at least once for each non-empty (client or server) HTTP body; and potentially -## more than once if the body contains further nested MIME entities. Bro raises -## this event at the point when it has finished parsing an entity's content. +## Generated when finishing parsing an HTTP body entity. This event is generated +## at least once for each non-empty (client or server) HTTP body; and +## potentially more than once if the body contains further nested MIME +## entities. Bro raises this event at the point when it has finished parsing an +## entity's content. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data @@ -4633,18 +4692,18 @@ event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; ## chunk of the data of not further defined size. ## ## A common idiom for using this event is to first *reassemble* the data -## at the scripting layer by concatening it to a successvily growing +## at the scripting layer by concatenating it to a successively growing ## string; and only perform further content analysis once the corresponding -## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so +## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so ## can be quite expensive for HTTP tranders. At the very least, one should ## impose an upper size limit on how much data is being buffered. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## length: The length of *data*. @@ -4656,17 +4715,17 @@ event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; ## mime_entity_data http_entity_data_delivery_size skip_http_data event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body"; -## Generated for reporting an HTTP bodie's content type. This event is +## Generated for reporting an HTTP body's content type. This event is ## generated at the end of parsing an HTTP header, passing on the MIME ## type as specified by the ``Content-Type`` header. If that header is ## missing, this event is still raised with a default value of ``text/plain``. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## ty: The main type. @@ -4688,12 +4747,12 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string ## message have been processed (and their corresponding ``http_entity_*`` events ## generated). ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## stat: Further meta information about the message. @@ -4704,13 +4763,13 @@ event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) ## Generated for errors found when decoding HTTP requests or replies. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## event_type: A string describing the general category of the problem found (e.g., -## ``illegal format``). +## event_type: A string describing the general category of the problem found +## (e.g., ``illegal format``). ## ## detail: Further more detailed description of the error. ## @@ -4725,17 +4784,18 @@ event http_event%(c: connection, event_type: string, detail: string%); ## ## c: The connection. ## -## stats: Statistics summarizing HTTP-level properties of the finished connection. +## stats: Statistics summarizing HTTP-level properties of the finished +## connection. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_reply ## http_request event http_stats%(c: connection, stats: http_stats_rec%); -## Generated when seeing an SSH client's version identification. The SSH protocol -## starts with a clear-test handshake message that reports client and server -## protocol/software versions. This event provides access to what the client -## sent. +## Generated when seeing an SSH client's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## client sent. ## ## ## See `Wikipedia `__ for more @@ -4747,14 +4807,14 @@ event http_stats%(c: connection, stats: http_stats_rec%); ## ## .. bro:see:: ssh_server_version ## -## .. note:: As everything after the initial version handshake proceeds encrypted, -## Bro cannot further analyze SSH sessions. +## .. note:: As everything after the initial version handshake proceeds +## encrypted, Bro cannot further analyze SSH sessions. event ssh_client_version%(c: connection, version: string%); -## Generated when seeing an SSH server's version identification. The SSH protocol -## starts with a clear-test handshake message that reports client and server -## protocol/software versions. This event provides access to what the server -## sent. +## Generated when seeing an SSH server's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## server sent. ## ## See `Wikipedia `__ for more ## information about the SSH protocol. @@ -4772,53 +4832,53 @@ event ssh_server_version%(c: connection, version: string%); ## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions ## start with an unencrypted handshake, and Bro extracts as much information out -## that it as it can. This event provides access to the initial information sent by -## the client. +## of that as it can. This event provides access to the initial information +## sent by the client. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. ## ## c: The connection. ## -## version: The protocol version as extracted from the client's -## message. The values are standardized as part of the SSL/TLS protocol. The +## version: The protocol version as extracted from the client's message. The +## values are standardized as part of the SSL/TLS protocol. The ## :bro:id:`SSL::version_strings` table maps them to descriptive names. ## -## possible_ts: The current time as sent by the client. Note that SSL/TLS does not -## require clocks to be set correctly, so treat with care. +## possible_ts: The current time as sent by the client. Note that SSL/TLS does +## not require clocks to be set correctly, so treat with care. ## ## session_id: The session ID sent by the client (if any). ## ## ciphers: The list of ciphers the client offered to use. The values are -## standardized as part of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table -## maps them to descriptive names. +## standardized as part of the SSL/TLS protocol. The +## :bro:id:`SSL::cipher_desc` table maps them to descriptive names. ## ## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%); -## Generated for an SSL/TLS servers's initial *hello* message. SSL/TLS sessions +## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions ## start with an unencrypted handshake, and Bro extracts as much information out -## of that as it can. This event provides access to the initial information sent by -## the client. +## of that as it can. This event provides access to the initial information +## sent by the client. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. ## ## c: The connection. ## -## version: The protocol version as extracted from the servers's message. +## version: The protocol version as extracted from the server's message. ## The values are standardized as part of the SSL/TLS protocol. The ## :bro:id:`SSL::version_strings` table maps them to descriptive names. ## -## possible_ts: The current time as sent by the server. Note that SSL/TLS does not -## require clocks to be set correctly, so treat with care. +## possible_ts: The current time as sent by the server. Note that SSL/TLS does +## not require clocks to be set correctly, so treat with care. ## ## session_id: The session ID as sent back by the server (if any). ## ## cipher: The cipher chosen by the server. The values are standardized as part -## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps them to -## descriptive names. +## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps +## them to descriptive names. ## ## comp_method: The compression method chosen by the client. The values are ## standardized as part of the SSL/TLS protocol. @@ -4827,18 +4887,18 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%); -## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS sessions -## start with an unencrypted handshake, and Bro extracts as much information out of -## that as it can. This event provides access to any extensions either side sents -## as part of extended *hello* message. +## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS +## sessions start with an unencrypted handshake, and Bro extracts as much +## information out of that as it can. This event provides access to any +## extensions either side sends as part of an extended *hello* message. ## ## c: The connection. ## ## is_orig: True if event is raised for originator side of the connection. ## ## code: The numerical code of the extension. The values are standardized as -## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps them to -## descriptive names. +## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps +## them to descriptive names. ## ## val: The raw extension value that was sent in the message. ## @@ -4847,10 +4907,10 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, sessio event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with -## an unencrypted handshake, and Bro extracts as much information out of that as -## it can. This event signals the time when an SSL/TLS has finished the handshake -## and its endpoints consider it as fully established. Typically, everything from -## now on will be encrypted. +## an unencrypted handshake, and Bro extracts as much information out of that +## as it can. This event signals the time when an SSL/TLS has finished the +## handshake and its endpoints consider it as fully established. Typically, +## everything from now on will be encrypted. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. @@ -4861,11 +4921,11 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_established%(c: connection%); -## Generated for SSL/TLS alert records. SSL/TLS sessions start with an unencrypted -## handshake, and Bro extracts as much information out of that as it can. If during -## that handshake, an endpoint encounteres a fatal error, it sends an *alert* -## record, that it turns triggers this event. After an *alert*, any endpoint -## may close the connection immediately. +## Generated for SSL/TLS alert records. SSL/TLS sessions start with an +## unencrypted handshake, and Bro extracts as much information out of that as +## it can. If during that handshake, an endpoint encounters a fatal error, it +## sends an *alert* record, that in turn triggers this event. After an *alert*, +## any endpoint may close the connection immediately. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. @@ -4884,12 +4944,12 @@ event ssl_established%(c: connection%); ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); -## Generated for SSL/TLS handshake messages that are a part of the stateless-server -## session resumption mechanism. SSL/TLS sessions start with an unencrypted -## handshake, and Bro extracts as much information out of that as it can. This -## event is raised when an SSL/TLS server passes session ticket to the client that -## can later be used for resuming the session. The mechanism is described in -## :rfc:`4507` +## Generated for SSL/TLS handshake messages that are a part of the +## stateless-server session resumption mechanism. SSL/TLS sessions start with +## an unencrypted handshake, and Bro extracts as much information out of that +## as it can. This event is raised when an SSL/TLS server passes a session +## ticket to the client that can later be used for resuming the session. The +## mechanism is described in :rfc:`4507` ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. @@ -4905,13 +4965,13 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); ## x509_certificate x509_error x509_extension ssl_alert event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%); -## Generated for x509 certificates seen in SSL/TLS connections. During the initial -## SSL/TLS handshake, certificates are exchanged in the clear. Bro raises this -## event for each certificate seen (including both a site's primary cert, and -## further certs sent as part of the validation chain). +## Generated for X509 certificates seen in SSL/TLS connections. During the +## initial SSL/TLS handshake, certificates are exchanged in the clear. Bro +## raises this event for each certificate seen (including both a site's primary +## cert, and further certs sent as part of the validation chain). ## -## See `Wikipedia `__ for more information about -## the X.509 format. +## See `Wikipedia `__ for more information +## about the X.509 format. ## ## c: The connection. ## @@ -4920,7 +4980,7 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ## cert: The parsed certificate. ## ## chain_idx: The index in the validation chain that this cert has. Index zero -## indicates an endpoints primary cert, while higher indices +## indicates an endpoint's primary cert, while higher indices ## indicate the place in the validation chain (which has length ## *chain_len*). ## @@ -4928,16 +4988,17 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ## of. ## ## der_cert: The complete cert encoded in `DER -## `__ format. +## `__ +## format. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_server_hello x509_error x509_extension x509_verify event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%); -## Generated for X.509 extensions seen in a certificate. +## Generated for X509 extensions seen in a certificate. ## -## See `Wikipedia `__ for more information about -## the X.509 format. +## See `Wikipedia `__ for more information +## about the X.509 format. ## ## c: The connection. ## @@ -4949,17 +5010,17 @@ event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: cou ## ssl_server_hello x509_certificate x509_error x509_verify event x509_extension%(c: connection, is_orig: bool, data: string%); -## Generated when errors occur during parsing an X.509 certificate. +## Generated when errors occur during parsing an X509 certificate. ## -## See `Wikipedia `__ for more information about -## the X.509 format. +## See `Wikipedia `__ for more information +## about the X.509 format. ## ## c: The connection. ## ## is_orig: True if event is raised for originator side of the connection. ## -## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` maps -## error codes to a textual description. +## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` +## maps error codes to a textual description. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_server_hello x509_certificate x509_extension x509_err2str x509_verify @@ -5022,16 +5083,16 @@ event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); ## Generated for NCP requests (Netware Core Protocol). ## -## See `Wikipedia `__ for more -## information about the NCP protocol. +## See `Wikipedia `__ for +## more information about the NCP protocol. ## ## c: The connection. ## ## frame_type: The frame type, as specified by the protocol. ## -## length: The length of the request body, excluding the frame header, +## length: The length of the request body, excluding the frame header. ## -## func: The requested function, as specified by the protocol. +## func: The requested function, as specified by the protocol. ## ## .. bro:see:: ncp_reply ## @@ -5043,20 +5104,20 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count% ## Generated for NCP replies (Netware Core Protocol). ## -## See `Wikipedia `__ for more -## information about the NCP protocol. +## See `Wikipedia `__ for +## more information about the NCP protocol. ## ## c: The connection. ## ## frame_type: The frame type, as specified by the protocol. ## -## length: The length of the request body, excluding the frame header, +## length: The length of the request body, excluding the frame header. ## ## req_frame: The frame type from the corresponding request. ## -## req_frame: The function code from the corresponding request. +## req_func: The function code from the corresponding request. ## -## completion_code: The replie's completion code, as specified by the protocol. +## completion_code: The reply's completion code, as specified by the protocol. ## ## .. bro:see:: ncp_request ## @@ -5068,12 +5129,13 @@ event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: cou ## Generated for client-side commands on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## -## is_orig: True if the command was sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## command: The command sent. ## @@ -5091,24 +5153,23 @@ event pop3_request%(c: connection, is_orig: bool, ## Generated for server-side replies to commands on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## -## is_orig: True if the command was sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## cmd: The success indicator sent by the server. This corresponds to the ## first token on the line sent, and should be either ``OK`` or ``ERR``. ## ## msg: The textual description the server sent along with *cmd*. ## -## arg: The argument to the command. -## ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request ## pop3_terminate pop3_unexpected ## -## .. todo: This event is receiving odd parameters, should unify. +## .. todo:: This event is receiving odd parameters, should unify. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -5116,13 +5177,13 @@ event pop3_request%(c: connection, is_orig: bool, ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); -## Generated for server-side multi-lines responses on POP3 connections. POP3 -## connection use multi-line responses to send buld data, such as the actual +## Generated for server-side multi-line responses on POP3 connections. POP3 +## connections use multi-line responses to send bulk data, such as the actual ## mails. This event is generated once for each line that's part of such a ## response. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5139,12 +5200,12 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_data%(c: connection, is_orig: bool, data: string%); -## Generated for errors encountered on POP3 sessions. If the POP3 analyzers finds -## state transition that do not confirm to the protocol specification, or other -## situations it can't handle, it raises this event. +## Generated for errors encountered on POP3 sessions. If the POP3 analyzer +## finds state transitions that do not conform to the protocol specification, +## or other situations it can't handle, it raises this event. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5164,13 +5225,13 @@ event pop3_data%(c: connection, is_orig: bool, data: string%); event pop3_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); -## Generated when POP3 connection go encrypted. While POP3 is by default a +## Generated when a POP3 connection goes encrypted. While POP3 is by default a ## clear-text protocol, extensions exist to switch to encryption. This event is -## generated if that happens and the analyzers then stops processing the +## generated if that happens and the analyzer then stops processing the ## connection. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5192,8 +5253,8 @@ event pop3_terminate%(c: connection, is_orig: bool, msg: string%); ## Generated for successful authentications on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5216,15 +5277,15 @@ event pop3_login_success%(c: connection, is_orig: bool, ## Generated for unsuccessful authentications on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## ## is_orig: Always false. ## -## user: The user name attempted for authentication. The event is only generated if -## a non-empty user name was used. +## user: The user name attempted for authentication. The event is only +## generated if a non-empty user name was used. ## ## password: The password attempted for authentication. ## @@ -5261,9 +5322,9 @@ event pop3_login_failure%(c: connection, is_orig: bool, ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message ## -## .. note:: This event is generated only for message that originate at the -## clients-side. Commands coming in from remote trigger the ge:bro:id:`irc_message` -## event instead. +## .. note:: This event is generated only for messages that originate +## at the client-side. Commands coming in from remote trigger +## the :bro:id:`irc_message` event instead. event irc_request%(c: connection, is_orig: bool, prefix: string, command: string, arguments: string%); @@ -5275,9 +5336,10 @@ event irc_request%(c: connection, is_orig: bool, prefix: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## prefix: The optional prefix comming with the reply. IRC uses the prefix to +## prefix: The optional prefix coming with the reply. IRC uses the prefix to ## indicate the true origin of a message. ## ## code: The reply code, as specified by the protocol. @@ -5306,7 +5368,7 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string, ## ## command: The command. ## -## arguments: The arguments for the command. +## message: TODO. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5317,22 +5379,23 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string, ## .. note:: ## ## This event is generated only for messages that are forwarded by the server -## to the client. Commands coming from client trigger the :bro:id:`irc_request` -## event instead. +## to the client. Commands coming from client trigger the +## :bro:id:`irc_request` event instead. event irc_message%(c: connection, is_orig: bool, prefix: string, command: string, message: string%); -## Generated for IRC messages of type *quit*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *quit*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name coming with the message. +## nick: The nickname coming with the message. ## ## message: The text included with the message. ## @@ -5343,15 +5406,16 @@ event irc_message%(c: connection, is_orig: bool, prefix: string, ## irc_part_message irc_password_message event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%); -## Generated for IRC messages of type *privmsg*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *privmsg*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## source: The source of the private communication. ## @@ -5375,7 +5439,8 @@ event irc_privmsg_message%(c: connection, is_orig: bool, source: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## source: The source of the private communication. ## @@ -5399,7 +5464,8 @@ event irc_notice_message%(c: connection, is_orig: bool, source: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## source: The source of the private communication. ## @@ -5423,12 +5489,11 @@ event irc_squery_message%(c: connection, is_orig: bool, source: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## info_list: The user information coming with the command. ## -## message: The text of communication. -## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message @@ -5436,15 +5501,16 @@ event irc_squery_message%(c: connection, is_orig: bool, source: string, ## irc_password_message event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%); -## Generated for IRC messages of type *part*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *part*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## nick: The nickname coming with the message. ## @@ -5460,15 +5526,16 @@ event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%) event irc_part_message%(c: connection, is_orig: bool, nick: string, chans: string_set, message: string%); -## Generated for IRC messages of type *nick*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *nick*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## who: The user changing its nickname. ## @@ -5488,7 +5555,8 @@ event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: stri ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invite_message irc_join_message irc_kick_message @@ -5504,7 +5572,8 @@ event irc_invalid_nick%(c: connection, is_orig: bool%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## users: The number of users as returned in the reply. ## @@ -5527,7 +5596,8 @@ event irc_network_info%(c: connection, is_orig: bool, users: count, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## users: The number of users as returned in the reply. ## @@ -5550,7 +5620,8 @@ event irc_server_info%(c: connection, is_orig: bool, users: count, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## chans: The number of channels as returned in the reply. ## @@ -5568,9 +5639,10 @@ event irc_channel_info%(c: connection, is_orig: bool, chans: count%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## target_nick: The target nick name. +## target_nick: The target nickname. ## ## channel: The channel. ## @@ -5580,7 +5652,7 @@ event irc_channel_info%(c: connection, is_orig: bool, chans: count%); ## ## server: The server. ## -## nick: The nick name. +## nick: The nickname. ## ## params: The parameters. ## @@ -5606,7 +5678,8 @@ event irc_who_line%(c: connection, is_orig: bool, target_nick: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## c_type: The channel type. ## @@ -5629,9 +5702,10 @@ event irc_names_info%(c: connection, is_orig: bool, c_type: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name specified in the reply. +## nick: The nickname specified in the reply. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5647,9 +5721,10 @@ event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name specified in the reply. +## nick: The nickname specified in the reply. ## ## chans: The set of channels returned. ## @@ -5668,16 +5743,15 @@ event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name specified in the reply. +## nick: The nickname specified in the reply. ## ## user: The user name specified in the reply. ## ## host: The host name specified in the reply. ## -## user: The user name specified in the reply. -## ## real_name: The real name specified in the reply. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message @@ -5695,7 +5769,8 @@ event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## got_oper: True if the *oper* command was executed successfully ## (*youreport*) and false otherwise (*nooperhost*). @@ -5714,7 +5789,8 @@ event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. @@ -5735,6 +5811,9 @@ event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: strin ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## channel: The channel name specified in the reply. ## ## topic: The topic specified in the reply. @@ -5746,15 +5825,16 @@ event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: strin ## irc_password_message event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%); -## Generated for IRC messages of type *who*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *who*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## mask: The mask specified in the message. ## @@ -5767,15 +5847,20 @@ event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: s ## irc_part_message irc_password_message event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); -## Generated for IRC messages of type *whois*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *whois*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## +## server: TODO. +## +## users: TODO. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5784,14 +5869,17 @@ event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); ## irc_part_message irc_password_message event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%); -## Generated for IRC messages of type *oper*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *oper*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## user: The user specified in the message. ## ## password: The password specified in the message. @@ -5803,14 +5891,17 @@ event irc_whois_message%(c: connection, is_orig: bool, server: string, users: st ## irc_password_message event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%); -## Generated for IRC messages of type *kick*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *kick*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5828,14 +5919,17 @@ event irc_oper_message%(c: connection, is_orig: bool, user: string, password: st event irc_kick_message%(c: connection, is_orig: bool, prefix: string, chans: string, users: string, comment: string%); -## Generated for IRC messages of type *error*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *error*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5856,10 +5950,13 @@ event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## -## nickname: The nick name specified in the message. +## nickname: The nickname specified in the message. ## ## channel: The channel specified in the message. ## @@ -5871,14 +5968,17 @@ event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: event irc_invite_message%(c: connection, is_orig: bool, prefix: string, nickname: string, channel: string%); -## Generated for IRC messages of type *mode*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *mode*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5891,20 +5991,23 @@ event irc_invite_message%(c: connection, is_orig: bool, prefix: string, ## irc_password_message event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%); -## Generated for IRC messages of type *squit*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *squit*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## server: The server specified in the message. ## -## messate: The textual description specified in the message. +## message: The textual description specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5914,14 +6017,17 @@ event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: st event irc_squit_message%(c: connection, is_orig: bool, prefix: string, server: string, message: string%); -## Generated for IRC messages of type *dcc*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *dcc*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5947,14 +6053,17 @@ event irc_dcc_message%(c: connection, is_orig: bool, dcc_type: string, argument: string, address: addr, dest_port: count, size: count%); -## Generated for IRC messages of type *user*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *user*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## user: The user specified in the message. ## ## host: The host name specified in the message. @@ -5978,6 +6087,9 @@ event irc_user_message%(c: connection, is_orig: bool, user: string, host: string ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## password: The password specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message @@ -5989,7 +6101,6 @@ event irc_password_message%(c: connection, is_orig: bool, password: string%); ## TODO. ## -## .. bro:see:: event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); ## Generated for monitored Syslog messages. @@ -6005,13 +6116,14 @@ event file_transferred%(c: connection, prefix: string, descr: string, mime_type: ## ## msg: The message logged. ## -## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP syslog -## will be added soon. +## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP +## syslog will be added soon. event syslog_message%(c: connection, facility: count, severity: count, msg: string%); -## Generated when a signature matches. Bro's signature engine provide -## high-performance pattern matching separately from the normal script processing. -## If a signature with an ``event`` action matches, this event is raised. +## Generated when a signature matches. Bro's signature engine provides +## high-performance pattern matching separately from the normal script +## processing. If a signature with an ``event`` action matches, this event is +## raised. ## ## See the :doc:`user manual ` for more information about Bro's ## signature engine. @@ -6021,10 +6133,10 @@ event syslog_message%(c: connection, facility: count, severity: count, msg: stri ## ## msg: The message passed to the ``event`` signature action. ## -## data; The last chunk of input that triggered the match. Note that the specifics -## here are no well-defined as Bro does not buffer any input. If a match is split -## across packet boundaries, only the last chunk triggering the will be passed on -## to the event. +## data: The last chunk of input that triggered the match. Note that the +## specifics here are not well-defined as Bro does not buffer any input. +## If a match is split across packet boundaries, only the last chunk +## triggering the match will be passed on to the event. event signature_match%(state: signature_state, msg: string, data: string%); ## Generated when a protocol analyzer finds an identification of a software @@ -6039,25 +6151,26 @@ event signature_match%(state: signature_state, msg: string, data: string%); ## ## s: A description of the software found. ## -## descr: The raw (unparsed) software identification string as extracted from the -## protocol. +## descr: The raw (unparsed) software identification string as extracted from +## the protocol. ## ## .. bro:see:: software_parse_error software_unparsed_version_found OS_version_found event software_version_found%(c: connection, host: addr, s: software, descr: string%); -## Generated when a protocol analyzer finds an identification of a software used on -## a system but cannot parse it. This is a protocol-independent event that is fed -## by different analyzers. For example, the HTTP analyzer reports user-agent and -## server software by raising this event if it cannot parse them directly (if canit -## :bro:id:`software_version_found` will be generated instead). +## Generated when a protocol analyzer finds an identification of a software +## used on a system but cannot parse it. This is a protocol-independent event +## that is fed by different analyzers. For example, the HTTP analyzer reports +## user-agent and server software by raising this event if it cannot parse them +## directly (if it can :bro:id:`software_version_found` will be generated +## instead). ## ## c: The connection. ## ## host: The host running the reported software. ## -## descr: The raw (unparsed) software identification string as extracted from the -## protocol. +## descr: The raw (unparsed) software identification string as extracted from +## the protocol. ## ## .. bro:see:: software_version_found software_unparsed_version_found ## OS_version_found @@ -6075,7 +6188,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%); ## ## host: The host running the reported software. ## -## descr: The software identification string as extracted from the protocol. +## str: The software identification string as extracted from the protocol. ## ## .. bro:see:: software_parse_error software_version_found OS_version_found event software_unparsed_version_found%(c: connection, host: addr, str: string%); @@ -6085,14 +6198,16 @@ event software_unparsed_version_found%(c: connection, host: addr, str: string%); ## and it raises this event for each system identified. The p0f fingerprints are ## defined by :bro:id:`passive_fingerprint_file`. ## +## TODO. +## ## .. bro:see:: passive_fingerprint_file software_parse_error ## software_version_found software_unparsed_version_found ## generate_OS_version_event event OS_version_found%(c: connection, host: addr, OS: OS_version%); ## Generated when a connection to a remote Bro has been established. This event -## is intended primarily for use by Bro's communication framework, but it can also -## trigger additional code if helpful. +## is intended primarily for use by Bro's communication framework, but it can +## also trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6113,9 +6228,9 @@ event remote_connection_established%(p: event_peer%); ## remote_state_inconsistency print_hook event remote_connection_closed%(p: event_peer%); -## Generated when a remote connection's initial handshake has been completed. This -## event is intended primarily for use by Bro's communication framework, but it can -## also trigger additional code if helpful. +## Generated when a remote connection's initial handshake has been completed. +## This event is intended primarily for use by Bro's communication framework, +## but it can also trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6130,6 +6245,8 @@ event remote_connection_handshake_done%(p: event_peer%); ## ## p: A record describing the peer. ## +## name: TODO. +## ## .. bro:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_log remote_pong @@ -6137,8 +6254,8 @@ event remote_connection_handshake_done%(p: event_peer%); event remote_event_registered%(p: event_peer, name: string%); ## Generated when a connection to a remote Bro encountered an error. This event -## is intended primarily for use by Bro's communication framework, but it can also -## trigger additional code if helpful. +## is intended primarily for use by Bro's communication framework, but it can +## also trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6153,8 +6270,8 @@ event remote_connection_error%(p: event_peer, reason: string%); ## Generated when a remote peer sent us a capture filter. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6168,8 +6285,8 @@ event remote_capture_filter%(p: event_peer, filter: string%); ## Generated after a call to :bro:id:`send_state` when all data has been ## successfully sent to the remote side. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. ## ## p: A record describing the remote peer. ## @@ -6179,20 +6296,20 @@ event remote_capture_filter%(p: event_peer, filter: string%); ## remote_state_access_performed remote_state_inconsistency print_hook event finished_send_state%(p: event_peer%); -## Generated if state synchronization detects an inconsistency. While this event -## is intended primarily for use by Bro's communication framework, it can also -## trigger additional code if helpful. This event is only raised if +## Generated if state synchronization detects an inconsistency. While this +## event is intended primarily for use by Bro's communication framework, it can +## also trigger additional code if helpful. This event is only raised if ## :bro:id:`remote_check_sync_consistency` is false. ## ## operation: The textual description of the state operation performed. ## ## id: The name of the Bro script identifier that was operated on. ## -## expected_old: A textual representation of the value of *id* that was expected to -## be found before the operation was carried out. +## expected_old: A textual representation of the value of *id* that was +## expected to be found before the operation was carried out. ## -## real_old: A textual representation of the value of *id* that was actually found -## before the operation was carried out. The difference between +## real_old: A textual representation of the value of *id* that was actually +## found before the operation was carried out. The difference between ## *real_old* and *expected_old* is the inconsistency being reported. ## ## .. bro:see:: remote_capture_filter remote_connection_closed @@ -6203,13 +6320,13 @@ event remote_state_inconsistency%(operation: string, id: string, expected_old: string, real_old: string%); ## Generated for communication log messages. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. ## ## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or ## :bro:id:`REMOTE_LOG_ERROR`. ## -## src: The component of the comminication system that logged the message. +## src: The component of the communication system that logged the message. ## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's ## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or ## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). @@ -6223,8 +6340,8 @@ event remote_state_inconsistency%(operation: string, id: string, event remote_log%(level: count, src: count, msg: string%); ## Generated for communication log messages. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. This event is equivalent to +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. This event is equivalent to ## :bro:see:`remote_log` except the message is with respect to a certain peer. ## ## p: A record describing the remote peer. @@ -6232,7 +6349,7 @@ event remote_log%(level: count, src: count, msg: string%); ## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or ## :bro:id:`REMOTE_LOG_ERROR`. ## -## src: The component of the comminication system that logged the message. +## src: The component of the communication system that logged the message. ## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's ## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or ## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). @@ -6247,12 +6364,12 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## Generated when a remote peer has answered to our ping. This event is part of ## Bro's infrastructure for measuring communication latency. One can send a ping -## by calling :bro:id:`send_ping` and when a corresponding reply is received, this -## event will be raised. +## by calling :bro:id:`send_ping` and when a corresponding reply is received, +## this event will be raised. ## ## p: The peer sending us the pong. ## -## seq: The sequence number passed to the original :bro:id:`send_ping` call. +## seq: The sequence number passed to the original :bro:id:`send_ping` call. ## The number is sent back by the peer in its response. ## ## d1: The time interval between sending the ping and receiving the pong. This @@ -6263,7 +6380,7 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## ## d3: The time interval between when the peer's child process received the ## ping and when its parent process sent the pong. This is the -## processing latency at the the peer. +## processing latency at the peer. ## ## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done @@ -6272,8 +6389,8 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); event remote_pong%(p: event_peer, seq: count, d1: interval, d2: interval, d3: interval%); -## Generated each time a remote state access has been replayed locally. This event -## is primarily intended for debugging. measurments. +## Generated each time a remote state access has been replayed locally. This +## event is primarily intended for debugging. ## ## id: The name of the Bro script variable that's being operated on. ## @@ -6287,7 +6404,7 @@ event remote_state_access_performed%(id: string, v: any%); ## Generated each time Bro's internal profiling log is updated. The file is ## defined by :bro:id:`profiling_file`, and its update frequency by -## :bro:id:`profiling_interval` and :bro:id:`expensive_profiling_multiple`. +## :bro:id:`profiling_interval` and :bro:id:`expensive_profiling_multiple`. ## ## f: The profiling file. ## @@ -6299,25 +6416,25 @@ event profiling_update%(f: file, expensive: bool%); ## Generated each time Bro's script interpreter opens a file. This event is ## triggered only for files opened via :bro:id:`open`, and in particular not for -## normal log files as created by a log writers. +## normal log files as created by log writers. ## ## f: The opened file. event file_opened%(f: file%); -## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises this -## event whenever it either receives a NetFlow header on the port it's listening -## on, or reads one from a trace file. +## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow header on the port it's +## listening on, or reads one from a trace file. ## ## h: The parsed NetFlow header. ## ## .. bro:see:: netflow_v5_record event netflow_v5_header%(h: nf_v5_header%); -## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises this -## event whenever it either receives a NetFlow record on the port it's listening -## on, or reads one from a trace file. +## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow record on the port it's +## listening on, or reads one from a trace file. ## -## h: The parsed NetFlow header. +## r: The parsed NetFlow record. ## ## .. bro:see:: netflow_v5_record event netflow_v5_record%(r: nf_v5_record%); @@ -6330,15 +6447,15 @@ event netflow_v5_record%(r: nf_v5_record%); ## ## msg: The message itself. ## -## location: A (potentially empty) string describing a location associated with the -## message. +## location: A (potentially empty) string describing a location associated with +## the message. ## ## .. bro:see:: reporter_warning reporter_error Reporter::info Reporter::warning ## Reporter::error ## -## .. note:: Bro will not call reporter events recursively. If the handler of any -## reporter event triggers a new reporter message itself, the output will go to -## ``stderr`` instead. +## .. note:: Bro will not call reporter events recursively. If the handler of +## any reporter event triggers a new reporter message itself, the output +## will go to ``stderr`` instead. event reporter_info%(t: time, msg: string, location: string%) &error_handler; ## Raised for warnings reported via Bro's reporter framework. Such messages may @@ -6349,15 +6466,15 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler; ## ## msg: The warning message. ## -## location: A (potentially empty) string describing a location associated with the -## warning. +## location: A (potentially empty) string describing a location associated with +## the warning. ## ## .. bro:see:: reporter_info reporter_error Reporter::info Reporter::warning ## Reporter::error ## -## .. note:: Bro will not call reporter events recursively. If the handler of any -## reporter event triggers a new reporter message itself, the output will go to -## ``stderr`` instead. +## .. note:: Bro will not call reporter events recursively. If the handler of +## any reporter event triggers a new reporter message itself, the output +## will go to ``stderr`` instead. event reporter_warning%(t: time, msg: string, location: string%) &error_handler; ## Raised for errors reported via Bro's reporter framework. Such messages may @@ -6368,15 +6485,15 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler; ## ## msg: The error message. ## -## location: A (potentially empty) string describing a location associated with the -## error. +## location: A (potentially empty) string describing a location associated with +## the error. ## ## .. bro:see:: reporter_info reporter_warning Reporter::info Reporter::warning ## Reporter::error ## -## .. note:: Bro will not call reporter events recursively. If the handler of any -## reporter event triggers a new reporter message itself, the output will go to -## ``stderr`` instead. +## .. note:: Bro will not call reporter events recursively. If the handler of +## any reporter event triggers a new reporter message itself, the output +## will go to ``stderr`` instead. event reporter_error%(t: time, msg: string, location: string%) &error_handler; ## Raised for each policy script loaded by the script interpreter. From b66b022be0090b1327042953b49b3cbbdc5054f3 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 13 Jun 2012 12:21:16 -0500 Subject: [PATCH 2/4] Fix a warning message When building the docs, a WARNING message was visible. Reworded the doc comment to prevent this warning. --- scripts/base/frameworks/communication/main.bro | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro index b9b15bfd22..ceae357f78 100644 --- a/scripts/base/frameworks/communication/main.bro +++ b/scripts/base/frameworks/communication/main.bro @@ -11,7 +11,8 @@ export { ## The communication logging stream identifier. redef enum Log::ID += { LOG }; - ## Which interface to listen on (``0.0.0.0`` or ``[::]`` are wildcards). + ## Which interface to listen on. The addresses ``0.0.0.0`` and ``[::]`` + ## are wildcards. const listen_interface = 0.0.0.0 &redef; ## Which port to listen on. From 22fb039e8384448b94091407ef08c2403f75cfb5 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 13 Jun 2012 16:59:15 -0500 Subject: [PATCH 3/4] Improve an error message in ICMP analyzer. --- src/ICMP.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ICMP.cc b/src/ICMP.cc index b06c6440e1..b8ddb8a292 100644 --- a/src/ICMP.cc +++ b/src/ICMP.cc @@ -64,7 +64,8 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data, break; default: - reporter->InternalError("unexpected IP proto in ICMP analyzer"); + reporter->InternalError("unexpected IP proto in ICMP analyzer: %d", + ip->NextProto()); break; } From 350c93c136ea0d13273c68ecac31835279e4f1aa Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 15 Jun 2012 11:22:15 -0500 Subject: [PATCH 4/4] Remove an old, unused diff canonifier. --- testing/scripts/doc/example-diff-canonifier.py | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100755 testing/scripts/doc/example-diff-canonifier.py diff --git a/testing/scripts/doc/example-diff-canonifier.py b/testing/scripts/doc/example-diff-canonifier.py deleted file mode 100755 index e0b8c110cc..0000000000 --- a/testing/scripts/doc/example-diff-canonifier.py +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/python - -import sys -import re - -# MutableVal derivatives (e.g. sets/tables) don't always generate the same -# ordering in the reST documentation, so just don't bother diffing -# the places where example.bro uses them. - -RE1 = "\d*/tcp" -RE2 = "tcp port \d*" - -for line in sys.stdin.readlines(): - if re.search(RE1, line) is None and re.search(RE2, line) is None: - print line