diff --git a/src/event.bif b/src/event.bif index a924bf4888..705c66aa6b 100644 --- a/src/event.bif +++ b/src/event.bif @@ -157,7 +157,7 @@ event new_connection%(c: connection%); ## e: The new encapsulation. event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); -## Generated when reassembly starts for a TCP connection. The event is raised +## Generated when reassembly starts for a TCP connection. This event is raised ## at the moment when Bro's TCP analyzer enables stream reassembly for a ## connection. ## @@ -522,7 +522,7 @@ event esp_packet%(p: pkt_hdr%); ## .. bro:see:: new_packet tcp_packet ipv6_ext_headers event mobile_ipv6_message%(p: pkt_hdr%); -## Genereated for any IPv6 packet encapsulated in a Teredo tunnel. +## Generated for any IPv6 packet encapsulated in a Teredo tunnel. ## See :rfc:`4380` for more information about the Teredo protocol. ## ## outer: The Teredo tunnel connection. @@ -532,10 +532,10 @@ event mobile_ipv6_message%(p: pkt_hdr%); ## .. bro:see:: teredo_authentication teredo_origin_indication teredo_bubble ## ## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particular expensive for real-time analysis. +## it may become particularly expensive for real-time analysis. event teredo_packet%(outer: connection, inner: teredo_hdr%); -## Genereated for IPv6 packets encapsulated in a Teredo tunnel that +## Generated for IPv6 packets encapsulated in a Teredo tunnel that ## use the Teredo authentication encapsulation method. ## See :rfc:`4380` for more information about the Teredo protocol. ## @@ -546,10 +546,10 @@ event teredo_packet%(outer: connection, inner: teredo_hdr%); ## .. bro:see:: teredo_packet teredo_origin_indication teredo_bubble ## ## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particular expensive for real-time analysis. +## it may become particularly expensive for real-time analysis. event teredo_authentication%(outer: connection, inner: teredo_hdr%); -## Genereated for IPv6 packets encapsulated in a Teredo tunnel that +## Generated for IPv6 packets encapsulated in a Teredo tunnel that ## use the Teredo origin indication encapsulation method. ## See :rfc:`4380` for more information about the Teredo protocol. ## @@ -560,10 +560,10 @@ event teredo_authentication%(outer: connection, inner: teredo_hdr%); ## .. bro:see:: teredo_packet teredo_authentication teredo_bubble ## ## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particular expensive for real-time analysis. +## it may become particularly expensive for real-time analysis. event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); -## Genereated for Teredo bubble packets. That is, IPv6 packets encapsulated +## Generated for Teredo bubble packets. That is, IPv6 packets encapsulated ## in a Teredo tunnel that have a Next Header value of :bro:id:`IPPROTO_NONE`. ## See :rfc:`4380` for more information about the Teredo protocol. ## @@ -574,15 +574,15 @@ event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); ## .. bro:see:: teredo_packet teredo_authentication teredo_origin_indication ## ## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particular expensive for real-time analysis. +## it may become particularly expensive for real-time analysis. event teredo_bubble%(outer: connection, inner: teredo_hdr%); -## Generated for every packet that has non-empty transport-layer payload. This is a -## very low-level and expensive event that should be avoided when at all possible. -## It's usually infeasible to handle when processing even medium volumes of -## traffic in real-time. It's even worse than :bro:id:`new_packet`. That said, if -## you work from a trace and want to do some packet-level analysis, it may come in -## handy. +## Generated for every packet that has a non-empty transport-layer payload. +## This is a very low-level and expensive event that should be avoided when +## at all possible. It's usually infeasible to handle when processing even +## medium volumes of traffic in real-time. It's even worse than +## :bro:id:`new_packet`. That said, if you work from a trace and want to +## do some packet-level analysis, it may come in handy. ## ## c: The connection the packet is part of. ## @@ -6216,13 +6216,12 @@ event signature_match%(state: signature_state, msg: string, data: string%); ## ## request_type: The type of the request. ## -## dstaddr: Address that the tunneled traffic should be sent to. -## -## dstname: DNS name of the host that the tunneled traffic should be sent to. +## sa: Address that the tunneled traffic should be sent to. ## ## p: The destination port for the proxied traffic. ## -## user: Username given for the SOCKS connection. This is not yet implemented for SOCKSv5. +## user: Username given for the SOCKS connection. This is not yet implemented +## for SOCKSv5. event socks_request%(c: connection, version: count, request_type: count, sa: SOCKS::Address, p: port, user: string%); ## Generated when a SOCKS reply is analyzed. @@ -6233,9 +6232,7 @@ event socks_request%(c: connection, version: count, request_type: count, sa: SOC ## ## reply: The status reply from the server. ## -## dstaddr: The address that the server sent the traffic to. -## -## dstname: The name the server sent the traffic to. Only applicable for SOCKSv5. +## sa: The address that the server sent the traffic to. ## ## p: The destination port for the proxied traffic. event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port%);