Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Rename Bro to Zeek in Zeekygen-generated documentation

Browse source
This commit is contained in:
Jon Siwek 2019-06-06 18:51:09 -07:00
parent 7c5e74e577
commit be091271f7
33 changed files with 393 additions and 375 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,4 +1,8 @@
2.6-387 | 2019-06-06 18:51:09 -0700
* Rename Bro to Zeek in Zeekygen-generated documentation (Jon Siwek, Corelight)
2.6-386 | 2019-06-06 17:17:55 -0700
* Add new RDP event: rdp_native_encrytped_data (Anthony Kasza, Corelight)

2
VERSION
View file

@ -1 +1 @@
2.6-386
2.6-387

2
doc

@ -1 +1 @@
Subproject commit 9ca066677c56d7926ec6a4396b7ef02cb0b3958a
Subproject commit 46801e2b553ae71623710fbc0b67fe76552d4597

6
src/analyzer/protocol/arp/events.bif
View file

@ -40,7 +40,7 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
TPA: addr, THA: string%);
## Generated for ARP packets that Bro cannot interpret. Examples are packets
## Generated for ARP packets that Zeek cannot interpret. Examples are packets
## with non-standard hardware address formats or hardware addresses that do not
## match the originator of the packet.
##
@ -56,8 +56,8 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
##
## .. zeek:see:: arp_reply arp_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);

42
src/analyzer/protocol/dns/events.bif
View file

@ -1,7 +1,7 @@
## Generated for all DNS messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -26,7 +26,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
## is raised once for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -55,7 +55,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
## the reply; there's no stateful correlation with the query.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -81,7 +81,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
## Generated for each entry in the Question section of a DNS reply.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -109,7 +109,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -134,7 +134,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -159,7 +159,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -184,7 +184,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -209,7 +209,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -234,7 +234,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -259,7 +259,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -284,7 +284,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -307,7 +307,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -330,7 +330,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -357,7 +357,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -401,7 +401,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -433,7 +433,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count%);
## Generated on DNS reply resource records when the type of record is not one
## that Bro knows how to parse and generate another more specific event.
## that Zeek knows how to parse and generate another more specific event.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
@ -451,7 +451,7 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -474,7 +474,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -565,7 +565,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
## all resource records have been passed on.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -590,6 +590,6 @@ event dns_full_request%(%);
## msg: The raw DNS payload.
##
## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
## .. note:: This event is deprecated and superseded by Zeek's dynamic protocol
## detection framework.
event non_dns_request%(c: connection, msg: string%);

8
src/analyzer/protocol/finger/events.bif
View file

@ -13,9 +13,9 @@
##
## .. zeek:see:: finger_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event finger_request%(c: connection, full: bool, username: string, hostname: string%);
@ -30,9 +30,9 @@ event finger_request%(c: connection, full: bool, username: string, hostname: str
##
## .. zeek:see:: finger_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event finger_reply%(c: connection, reply_line: string%);

24
src/analyzer/protocol/gnutella/events.bif
View file

@ -7,9 +7,9 @@
## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
##
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
@ -21,9 +21,9 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
## .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
ttl: count, hops: count, msg_len: count,
@ -38,9 +38,9 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
## gnutella_not_establish gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_partial_binary_msg%(c: connection, orig: bool,
msg: string, len: count%);
@ -53,9 +53,9 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool,
## .. zeek:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_establish%(c: connection%);
@ -67,9 +67,9 @@ event gnutella_establish%(c: connection%);
## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_not_establish%(c: connection%);
@ -81,8 +81,8 @@ event gnutella_not_establish%(c: connection%);
## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_http_notify%(c: connection%);

14
src/analyzer/protocol/http/events.bif
View file

@ -1,5 +1,5 @@
## Generated for HTTP requests. Bro supports persistent and pipelined HTTP
## Generated for HTTP requests. Zeek supports persistent and pipelined HTTP
## sessions and raises corresponding events as it parses client/server
## dialogues. This event is generated as soon as a request's initial line has
## been parsed, and before any :zeek:id:`http_header` events are raised.
@ -22,7 +22,7 @@
## truncate_http_URI http_connection_upgrade
event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%);
## Generated for HTTP replies. Bro supports persistent and pipelined HTTP
## Generated for HTTP replies. Zeek supports persistent and pipelined HTTP
## sessions and raises corresponding events as it parses client/server
## dialogues. This event is generated as soon as a reply's initial line has
## been parsed, and before any :zeek:id:`http_header` events are raised.
@ -43,7 +43,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
## http_stats http_connection_upgrade
event http_reply%(c: connection, version: string, code: count, reason: string%);
## Generated for HTTP headers. Bro supports persistent and pipelined HTTP
## Generated for HTTP headers. Zeek supports persistent and pipelined HTTP
## sessions and raises corresponding events as it parses client/server
## dialogues.
##
@ -67,7 +67,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
event http_header%(c: connection, is_orig: bool, name: string, value: string%);
## Generated for HTTP headers, passing on all headers of an HTTP message at
## once. Bro supports persistent and pipelined HTTP sessions and raises
## once. Zeek supports persistent and pipelined HTTP sessions and raises
## corresponding events as it parses client/server dialogues.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@ -92,7 +92,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
## Generated when starting to parse an HTTP body entity. This event is generated
## at least once for each non-empty (client or server) HTTP body; and
## potentially more than once if the body contains further nested MIME
## entities. Bro raises this event just before it starts parsing each entity's
## entities. Zeek raises this event just before it starts parsing each entity's
## content.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@ -111,7 +111,7 @@ event http_begin_entity%(c: connection, is_orig: bool%);
## Generated when finishing parsing an HTTP body entity. This event is generated
## at least once for each non-empty (client or server) HTTP body; and
## potentially more than once if the body contains further nested MIME
## entities. Bro raises this event at the point when it has finished parsing an
## entities. Zeek raises this event at the point when it has finished parsing an
## entity's content.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@ -181,7 +181,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin
## entities.
event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%);
## Generated once at the end of parsing an HTTP message. Bro supports persistent
## Generated once at the end of parsing an HTTP message. Zeek supports persistent
## and pipelined HTTP sessions and raises corresponding events as it parses
## client/server dialogues. A "message" is one top-level HTTP entity, such as a
## complete request or reply. Each message can have further nested sub-entities

12
src/analyzer/protocol/icmp/events.bif
View file

@ -1,5 +1,5 @@
## Generated for all ICMP messages that are not handled separately with
## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages
## dedicated ICMP events. Zeek's ICMP analyzer handles a number of ICMP messages
## directly with dedicated events. This event acts as a fallback for those it
## doesn't.
##
@ -70,7 +70,7 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count,
event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
## Generated for all ICMPv6 error messages that are not handled
## separately with dedicated events. Bro's ICMP analyzer handles a number
## separately with dedicated events. Zeek's ICMP analyzer handles a number
## of ICMP error messages directly with dedicated events. This event acts
## as a fallback for those it doesn't.
##
@ -107,7 +107,7 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context:
##
## context: A record with specifics of the original packet that the message
## refers to. *Unreachable* messages should include the original IP
## header from the packet that triggered them, and Bro parses that
## header from the packet that triggered them, and Zeek parses that
## into the *context* structure. Note that if the *unreachable*
## includes only a partial IP header for some reason, no
## fields of *context* will be filled out.
@ -131,7 +131,7 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic
##
## context: A record with specifics of the original packet that the message
## refers to. *Too big* messages should include the original IP header
## from the packet that triggered them, and Bro parses that into
## from the packet that triggered them, and Zeek parses that into
## the *context* structure. Note that if the *too big* includes only
## a partial IP header for some reason, no fields of *context* will
## be filled out.
@ -155,7 +155,7 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context:
##
## context: A record with specifics of the original packet that the message
## refers to. *Unreachable* messages should include the original IP
## header from the packet that triggered them, and Bro parses that
## header from the packet that triggered them, and Zeek parses that
## into the *context* structure. Note that if the *exceeded* includes
## only a partial IP header for some reason, no fields of *context*
## will be filled out.
@ -179,7 +179,7 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context:
##
## context: A record with specifics of the original packet that the message
## refers to. *Parameter problem* messages should include the original
## IP header from the packet that triggered them, and Bro parses that
## IP header from the packet that triggered them, and Zeek parses that
## into the *context* structure. Note that if the *parameter problem*
## includes only a partial IP header for some reason, no fields
## of *context* will be filled out.

12
src/analyzer/protocol/ident/events.bif
View file

@ -11,9 +11,9 @@
##
## .. zeek:see:: ident_error ident_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ident_request%(c: connection, lport: port, rport: port%);
@ -34,9 +34,9 @@ event ident_request%(c: connection, lport: port, rport: port%);
##
## .. zeek:see:: ident_error ident_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%);
@ -55,9 +55,9 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys
##
## .. zeek:see:: ident_reply ident_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ident_error%(c: connection, lport: port, rport: port, line: string%);

72
src/analyzer/protocol/login/events.bif
View file

@ -21,9 +21,9 @@
## .. note:: For historical reasons, these events are separate from the
## ``login_`` events. Ideally, they would all be handled uniquely.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%);
@ -48,9 +48,9 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line
## .. note:: For historical reasons, these events are separate from the
## ``login_`` events. Ideally, they would all be handled uniquely.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%);
@ -79,12 +79,12 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line:
##
## .. note:: The login analyzer depends on a set of script-level variables that
## need to be configured with patterns identifying login attempts. This
## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
## configuration has not yet been ported, and
## the analyzer is therefore not directly usable at the moment.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeeks's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%);
@ -114,12 +114,12 @@ event login_failure%(c: connection, user: string, client_user: string, password:
##
## .. note:: The login analyzer depends on a set of script-level variables that
## need to be configured with patterns identifying login attempts. This
## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
## configuration has not yet been ported, and
## the analyzer is therefore not directly usable at the moment.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_success%(c: connection, user: string, client_user: string, password: string, line: string%);
@ -134,9 +134,9 @@ event login_success%(c: connection, user: string, client_user: string, password:
## .. zeek:see:: login_confused login_confused_text login_display login_failure
## login_output_line login_prompt login_success login_terminal rsh_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_input_line%(c: connection, line: string%);
@ -151,14 +151,14 @@ event login_input_line%(c: connection, line: string%);
## .. zeek:see:: login_confused login_confused_text login_display login_failure
## login_input_line login_prompt login_success login_terminal rsh_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_output_line%(c: connection, line: string%);
## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's
## Generated when tracking of Telnet/Rlogin authentication failed. As Zeek's
## *login* analyzer uses a number of heuristics to extract authentication
## information, it may become confused. If it can no longer correctly track
## the authentication dialog, it raises this event.
@ -178,9 +178,9 @@ event login_output_line%(c: connection, line: string%);
## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
## login_timeouts set_login_state
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_confused%(c: connection, msg: string, line: string%);
@ -199,9 +199,9 @@ event login_confused%(c: connection, msg: string, line: string%);
## get_login_state login_failure_msgs login_non_failure_msgs login_prompts
## login_success_msgs login_timeouts set_login_state
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_confused_text%(c: connection, line: string%);
@ -216,9 +216,9 @@ event login_confused_text%(c: connection, line: string%);
## .. zeek:see:: login_confused login_confused_text login_display login_failure
## login_input_line login_output_line login_prompt login_success
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_terminal%(c: connection, terminal: string%);
@ -233,9 +233,9 @@ event login_terminal%(c: connection, terminal: string%);
## .. zeek:see:: login_confused login_confused_text login_failure login_input_line
## login_output_line login_prompt login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_display%(c: connection, display: string%);
@ -258,9 +258,9 @@ event login_display%(c: connection, display: string%);
## while :zeek:id:`login_success` heuristically determines success by watching
## session data.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event authentication_accepted%(name: string, c: connection%);
@ -283,9 +283,9 @@ event authentication_accepted%(name: string, c: connection%);
## while :zeek:id:`login_success` heuristically determines failure by watching
## session data.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event authentication_rejected%(name: string, c: connection%);
@ -304,12 +304,12 @@ event authentication_rejected%(name: string, c: connection%);
##
## .. note:: The login analyzer depends on a set of script-level variables that
## need to be configured with patterns identifying activity. This
## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
## configuration has not yet been ported, and
## the analyzer is therefore not directly usable at the moment.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event authentication_skipped%(c: connection%);
@ -328,9 +328,9 @@ event authentication_skipped%(c: connection%);
## .. zeek:see:: login_confused login_confused_text login_display login_failure
## login_input_line login_output_line login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_prompt%(c: connection, prompt: string%);
@ -380,9 +380,9 @@ event inconsistent_option%(c: connection%);
## login_confused_text login_display login_failure login_input_line
## login_output_line login_prompt login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event bad_option%(c: connection%);
@ -399,9 +399,9 @@ event bad_option%(c: connection%);
## login_confused_text login_display login_failure login_input_line
## login_output_line login_prompt login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event bad_option_termination%(c: connection%);

48
src/analyzer/protocol/mime/events.bif
View file

@ -1,9 +1,9 @@
## Generated when starting to parse an email MIME entity. MIME is a
## protocol-independent data format for encoding text and files, along with
## corresponding metadata, for transmission. Bro raises this event when it
## corresponding metadata, for transmission. Zeek raises this event when it
## begins parsing a MIME entity extracted from an email protocol.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -13,16 +13,16 @@
## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
## http_begin_entity
##
## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
## however, it raises :zeek:id:`http_begin_entity` instead.
event mime_begin_entity%(c: connection%);
## Generated when finishing parsing an email MIME entity. MIME is a
## protocol-independent data format for encoding text and files, along with
## corresponding metadata, for transmission. Bro raises this event when it
## corresponding metadata, for transmission. Zeek raises this event when it
## finished parsing a MIME entity extracted from an email protocol.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -32,7 +32,7 @@ event mime_begin_entity%(c: connection%);
## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
## http_end_entity
##
## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
## however, it raises :zeek:id:`http_end_entity` instead.
event mime_end_entity%(c: connection%);
@ -40,7 +40,7 @@ event mime_end_entity%(c: connection%);
## entities. MIME is a protocol-independent data format for encoding text and
## files, along with corresponding metadata, for transmission.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -52,7 +52,7 @@ event mime_end_entity%(c: connection%);
## mime_end_entity mime_entity_data mime_event mime_segment_data
## http_header http_all_headers
##
## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
## however, it raises :zeek:id:`http_header` instead.
event mime_one_header%(c: connection, h: mime_header_rec%);
@ -60,7 +60,7 @@ event mime_one_header%(c: connection, h: mime_header_rec%);
## headers at once. MIME is a protocol-independent data format for encoding
## text and files, along with corresponding metadata, for transmission.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -74,21 +74,21 @@ event mime_one_header%(c: connection, h: mime_header_rec%);
## mime_entity_data mime_event mime_one_header mime_segment_data
## http_header http_all_headers
##
## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
## however, it raises :zeek:id:`http_header` instead.
event mime_all_headers%(c: connection, hlist: mime_header_list%);
## Generated for chunks of decoded MIME data from email MIME entities. MIME
## is a protocol-independent data format for encoding text and files, along with
## corresponding metadata, for transmission. As Bro parses the data of an
## corresponding metadata, for transmission. As Zeek parses the data of an
## entity, it raises a sequence of these events, each coming as soon as a new
## chunk of data is available. In contrast, there is also
## :zeek:id:`mime_entity_data`, which passes all of an entities data at once
## in a single block. While the latter is more convenient to handle,
## ``mime_segment_data`` is more efficient as Bro does not need to buffer
## ``mime_segment_data`` is more efficient as Zeek does not need to buffer
## the data. Thus, if possible, this event should be preferred.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -102,7 +102,7 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%);
## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
## mime_segment_length mime_segment_overlap_length
##
## .. note:: Bro also extracts MIME data from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME data from HTTP sessions. For those,
## however, it raises :zeek:id:`http_entity_data` (sic!) instead.
event mime_segment_data%(c: connection, length: count, data: string%);
@ -111,10 +111,10 @@ event mime_segment_data%(c: connection, length: count, data: string%);
## and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`,
## which passes on a sequence of data chunks as they come in. While
## ``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is
## more efficient as Bro does not need to buffer the data. Thus, if possible,
## more efficient as Zeek does not need to buffer the data. Thus, if possible,
## the latter should be preferred.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -127,7 +127,7 @@ event mime_segment_data%(c: connection, length: count, data: string%);
## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_end_entity mime_event mime_one_header mime_segment_data
##
## .. note:: While Bro also decodes MIME entities extracted from HTTP
## .. note:: While Zeek also decodes MIME entities extracted from HTTP
## sessions, there's no corresponding event for that currently.
event mime_entity_data%(c: connection, length: count, data: string%);
@ -137,7 +137,7 @@ event mime_entity_data%(c: connection, length: count, data: string%);
## of the potentially significant buffering necessary, using this event can be
## expensive.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -150,13 +150,13 @@ event mime_entity_data%(c: connection, length: count, data: string%);
## .. zeek:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
## mime_entity_data mime_event mime_one_header mime_segment_data
##
## .. note:: While Bro also decodes MIME entities extracted from HTTP
## .. note:: While Zeek also decodes MIME entities extracted from HTTP
## sessions, there's no corresponding event for that currently.
event mime_all_data%(c: connection, length: count, data: string%);
## Generated for errors found when decoding email MIME entities.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -170,15 +170,15 @@ event mime_all_data%(c: connection, length: count, data: string%);
## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event
##
## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
## however, it raises :zeek:id:`http_event` instead.
event mime_event%(c: connection, event_type: string, detail: string%);
## Generated for decoded MIME entities extracted from email messages, passing on
## their MD5 checksums. Bro computes the MD5 over the complete decoded data of
## their MD5 checksums. Zeek computes the MD5 over the complete decoded data of
## each MIME entity.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -191,7 +191,7 @@ event mime_event%(c: connection, event_type: string, detail: string%);
## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
## mime_entity_data mime_event mime_one_header mime_segment_data
##
## .. note:: While Bro also decodes MIME entities extracted from HTTP
## .. note:: While Zeek also decodes MIME entities extracted from HTTP
## sessions, there's no corresponding event for that currently.
event mime_content_hash%(c: connection, content_len: count, hash_value: string%);

8
src/analyzer/protocol/ncp/events.bif
View file

@ -13,9 +13,9 @@
##
## .. zeek:see:: ncp_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ncp_request%(c: connection, frame_type: count, length: count, func: count%);
@ -38,9 +38,9 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count%
##
## .. zeek:see:: ncp_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%);

68
src/analyzer/protocol/netbios/events.bif
View file

@ -1,10 +1,10 @@
## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer
## Generated for all NetBIOS SSN and DGM messages. Zeek's NetBIOS analyzer
## processes the NetBIOS session service running on TCP port 139, and (despite
## its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -21,22 +21,22 @@
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%);
## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS
## Generated for NetBIOS messages of type *session request*. Zeek's NetBIOS
## analyzer processes the NetBIOS session service running on TCP port 139, and
## (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -49,22 +49,22 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_request%(c: connection, msg: string%);
## Generated for NetBIOS messages of type *positive session response*. Bro's
## Generated for NetBIOS messages of type *positive session response*. Zeek's
## NetBIOS analyzer processes the NetBIOS session service running on TCP port
## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -77,22 +77,22 @@ event netbios_session_request%(c: connection, msg: string%);
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_accepted%(c: connection, msg: string%);
## Generated for NetBIOS messages of type *negative session response*. Bro's
## Generated for NetBIOS messages of type *negative session response*. Zeek's
## NetBIOS analyzer processes the NetBIOS session service running on TCP port
## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -105,12 +105,12 @@ event netbios_session_accepted%(c: connection, msg: string%);
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_rejected%(c: connection, msg: string%);
@ -122,7 +122,7 @@ event netbios_session_rejected%(c: connection, msg: string%);
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -137,25 +137,25 @@ event netbios_session_rejected%(c: connection, msg: string%);
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: This is an oddly named event. In fact, it's probably an odd event
## to have to begin with.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS
## Generated for NetBIOS messages of type *retarget response*. Zeek's NetBIOS
## analyzer processes the NetBIOS session service running on TCP port 139, and
## (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -168,24 +168,24 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
## netbios_session_request decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: This is an oddly named event.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_ret_arg_resp%(c: connection, msg: string%);
## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer
## Generated for NetBIOS messages of type *keep-alive*. Zeek's NetBIOS analyzer
## processes the NetBIOS session service running on TCP port 139, and (despite
## its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -198,12 +198,12 @@ event netbios_session_ret_arg_resp%(c: connection, msg: string%);
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_keepalive%(c: connection, msg: string%);

8
src/analyzer/protocol/ntp/events.bif
View file

@ -1,4 +1,4 @@
## Generated for all NTP messages. Different from many other of Bro's events,
## Generated for all NTP messages. Different from many other of Zeek's events,
## this one is generated for both client-side and server-side messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
@ -8,14 +8,14 @@
##
## msg: The parsed NTP message.
##
## excess: The raw bytes of any optional parts of the NTP packet. Bro does not
## excess: The raw bytes of any optional parts of the NTP packet. Zeek does not
## further parse any optional fields.
##
## .. zeek:see:: ntp_session_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ntp_message%(u: connection, msg: ntp_msg, excess: string%);

28
src/analyzer/protocol/pop3/events.bif
View file

@ -15,9 +15,9 @@
## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
## pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_request%(c: connection, is_orig: bool,
command: string, arg: string%);
@ -42,9 +42,9 @@ event pop3_request%(c: connection, is_orig: bool,
##
## .. todo:: This event is receiving odd parameters, should unify.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
@ -65,9 +65,9 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
## .. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
## pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_data%(c: connection, is_orig: bool, data: string%);
@ -88,9 +88,9 @@ event pop3_data%(c: connection, is_orig: bool, data: string%);
##
## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_unexpected%(c: connection, is_orig: bool,
msg: string, detail: string%);
@ -108,9 +108,9 @@ event pop3_unexpected%(c: connection, is_orig: bool,
## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
## pop3_request pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_starttls%(c: connection%);
@ -131,9 +131,9 @@ event pop3_starttls%(c: connection%);
## .. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request
## pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_login_success%(c: connection, is_orig: bool,
user: string, password: string%);
@ -155,9 +155,9 @@ event pop3_login_success%(c: connection, is_orig: bool,
## .. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request
## pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_login_failure%(c: connection, is_orig: bool,
user: string, password: string%);

164
src/analyzer/protocol/rpc/events.bif
View file

@ -15,9 +15,9 @@
## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_null%(c: connection, info: NFS3::info_t%);
@ -43,9 +43,9 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%);
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply file_mode
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%);
@ -71,9 +71,9 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply file_mode
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t%);
@ -99,9 +99,9 @@ event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t,
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%);
@ -127,9 +127,9 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%);
@ -155,9 +155,9 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r
## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## nfs_proc_symlink rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%);
@ -183,9 +183,9 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t%);
@ -211,9 +211,9 @@ event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkarg
## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## nfs_proc_symlink rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t%);
@ -240,9 +240,9 @@ event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, r
## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only
## NFS3::return_data_max
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%);
@ -268,9 +268,9 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t,
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
@ -296,9 +296,9 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
@ -324,9 +324,9 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
@ -352,9 +352,9 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
@ -380,9 +380,9 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
## nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
## nfs_reply_status rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t%);
@ -408,13 +408,13 @@ event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameoparg
## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%);
## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3
## Generated for NFSv3 request/reply dialogues of a type that Zeek's NFSv3
## analyzer does not implement.
##
## NFS is a service running on top of RPC. See `Wikipedia
@ -425,15 +425,15 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg
##
## info: Reports the status of the dialogue, along with some meta information.
##
## proc: The procedure called that Bro does not implement.
## proc: The procedure called that Zeek does not implement.
##
## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%);
@ -449,9 +449,9 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_reply_status%(n: connection, info: NFS3::info_t%);
@ -468,9 +468,9 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%);
## pm_attempt_unset pm_attempt_getport pm_attempt_dump
## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_null%(r: connection%);
@ -493,9 +493,9 @@ event pm_request_null%(r: connection%);
## pm_attempt_unset pm_attempt_getport pm_attempt_dump
## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
@ -518,9 +518,9 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
## pm_attempt_unset pm_attempt_getport pm_attempt_dump
## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
@ -541,9 +541,9 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
## pm_attempt_unset pm_attempt_getport pm_attempt_dump
## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
@ -563,9 +563,9 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_dump%(r: connection, m: pm_mappings%);
@ -587,9 +587,9 @@ event pm_request_dump%(r: connection, m: pm_mappings%);
## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
@ -610,9 +610,9 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_null%(r: connection, status: rpc_status%);
@ -635,9 +635,9 @@ event pm_attempt_null%(r: connection, status: rpc_status%);
## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
@ -660,9 +660,9 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
@ -684,9 +684,9 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
## pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump
## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%);
@ -707,9 +707,9 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request
## pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_dump%(r: connection, status: rpc_status%);
@ -732,9 +732,9 @@ event pm_attempt_dump%(r: connection, status: rpc_status%);
## pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%);
@ -757,9 +757,9 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ
## pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_bad_port%(r: connection, bad_p: count%);
@ -792,9 +792,9 @@ event pm_bad_port%(r: connection, bad_p: count%);
## .. zeek:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%);
@ -819,9 +819,9 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status:
## .. zeek:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%);
@ -843,9 +843,9 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count,
## .. zeek:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%);
@ -862,9 +862,9 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
@ -885,9 +885,9 @@ event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t%);
@ -905,9 +905,9 @@ event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntar
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
@ -925,27 +925,27 @@ event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmnta
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_proc_umnt_all%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
## Generated for MOUNT3 request/reply dialogues of a type that Bro's MOUNTv3
## Generated for MOUNT3 request/reply dialogues of a type that Zeek's MOUNTv3
## analyzer does not implement.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## proc: The procedure called that Bro does not implement.
## proc: The procedure called that Zeek does not implement.
##
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t%);
@ -959,8 +959,8 @@ event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOU
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_reply_status%(n: connection, info: MOUNT3::info_t%);

2
src/analyzer/protocol/smb/smb1_events.bif
View file

@ -2,7 +2,7 @@
## messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.

2
src/analyzer/protocol/smb/smb2_events.bif
View file

@ -2,7 +2,7 @@
## version 2 messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.

4
src/analyzer/protocol/smtp/events.bif
View file

@ -20,7 +20,7 @@
## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
## smtp_data smtp_reply
##
## .. note:: Bro does not support the newer ETRN extension yet.
## .. note:: Zeek does not support the newer ETRN extension yet.
event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%);
## Generated for server-side SMTP commands.
@ -51,7 +51,7 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%)
## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
## smtp_data smtp_request
##
## .. note:: Bro doesn't support the newer ETRN extension yet.
## .. note:: Zeek doesn't support the newer ETRN extension yet.
event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%);
## Generated for DATA transmitted on SMTP sessions. This event is raised for

16
src/analyzer/protocol/ssl/events.bif
View file

@ -1,5 +1,5 @@
## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions
## start with an unencrypted handshake, and Bro extracts as much information out
## start with an unencrypted handshake, and Zeek extracts as much information out
## of that as it can. This event provides access to the initial information
## sent by the client.
##
@ -38,7 +38,7 @@
event ssl_client_hello%(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);
## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
## start with an unencrypted handshake, and Bro extracts as much information out
## start with an unencrypted handshake, and Zeek extracts as much information out
## of that as it can. This event provides access to the initial information
## sent by the client.
##
@ -80,11 +80,11 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po
event ssl_server_hello%(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS
## sessions start with an unencrypted handshake, and Bro extracts as much
## sessions start with an unencrypted handshake, and Zeek extracts as much
## information out of that as it can. This event provides access to any
## extensions either side sends as part of an extended *hello* message.
##
## Note that Bro offers more specialized events for a few extensions.
## Note that Zeek offers more specialized events for a few extensions.
##
## c: The connection.
##
@ -385,7 +385,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions:
event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
## an unencrypted handshake, and Bro extracts as much information out of that
## an unencrypted handshake, and Zeek extracts as much information out of that
## as it can. This event signals the time when an SSL/TLS has finished the
## handshake and its endpoints consider it as fully established. Typically,
## everything from now on will be encrypted.
@ -400,7 +400,7 @@ event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes:
event ssl_established%(c: connection%);
## Generated for SSL/TLS alert records. SSL/TLS sessions start with an
## unencrypted handshake, and Bro extracts as much information out of that as
## unencrypted handshake, and Zeek extracts as much information out of that as
## it can. If during that handshake, an endpoint encounters a fatal error, it
## sends an *alert* record, that in turn triggers this event. After an *alert*,
## any endpoint may close the connection immediately.
@ -424,7 +424,7 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
## Generated for SSL/TLS handshake messages that are a part of the
## stateless-server session resumption mechanism. SSL/TLS sessions start with
## an unencrypted handshake, and Bro extracts as much information out of that
## an unencrypted handshake, and Zeek extracts as much information out of that
## as it can. This event is raised when an SSL/TLS server passes a session
## ticket to the client that can later be used for resuming the session. The
## mechanism is described in :rfc:`4507`.
@ -468,7 +468,7 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
## Generated for SSL/TLS messages that are sent before full session encryption
## starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3;
## here this event will be raised for early packets that are already using
## pre-encryption. # This event is also used by Bro internally to determine if
## pre-encryption. # This event is also used by Zeek internally to determine if
## the connection has been completely setup. This is necessary as TLS 1.3 does
## not have CCS anymore.
##

2
src/analyzer/protocol/syslog/events.bif
View file

@ -12,6 +12,6 @@
##
## msg: The message logged.
##
## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP
## .. note:: Zeek currently parses only UDP syslog traffic. Support for TCP
## syslog will be added soon.
event syslog_message%(c: connection, facility: count, severity: count, msg: string%);

34
src/analyzer/protocol/tcp/events.bif
View file

@ -1,6 +1,6 @@
## Generated when reassembly starts for a TCP connection. This event is raised
## at the moment when Bro's TCP analyzer enables stream reassembly for a
## at the moment when Zeek's TCP analyzer enables stream reassembly for a
## connection.
##
## c: The connection.
@ -47,8 +47,8 @@ event connection_attempt%(c: connection%);
## new_connection new_connection_contents partial_connection
event connection_established%(c: connection%);
## Generated for a new active TCP connection if Bro did not see the initial
## handshake. This event is raised when Bro has observed traffic from each
## Generated for a new active TCP connection if Zeek did not see the initial
## handshake. This event is raised when Zeek has observed traffic from each
## endpoint, but the activity did not begin with the usual connection
## establishment.
##
@ -65,7 +65,7 @@ event partial_connection%(c: connection%);
## Generated when a previously inactive endpoint attempts to close a TCP
## connection via a normal FIN handshake or an abort RST sequence. When the
## endpoint sent one of these packets, Bro waits
## endpoint sent one of these packets, Zeek waits
## :zeek:id:`tcp_partial_close_delay` prior to generating the event, to give
## the other endpoint a chance to close the connection normally.
##
@ -94,7 +94,7 @@ event connection_finished%(c: connection%);
## Generated when one endpoint of a TCP connection attempted to gracefully close
## the connection, but the other endpoint is in the TCP_INACTIVE state. This can
## happen due to split routing, in which Bro only sees one side of a connection.
## happen due to split routing, in which Zeek only sees one side of a connection.
##
## c: The connection.
##
@ -123,7 +123,7 @@ event connection_half_finished%(c: connection%);
##
## If the responder does not respond at all, :zeek:id:`connection_attempt` is
## raised instead. If the responder initially accepts the connection but
## aborts it later, Bro first generates :zeek:id:`connection_established`
## aborts it later, Zeek first generates :zeek:id:`connection_established`
## and then :zeek:id:`connection_reset`.
event connection_rejected%(c: connection%);
@ -142,7 +142,7 @@ event connection_rejected%(c: connection%);
## partial_connection
event connection_reset%(c: connection%);
## Generated for each still-open TCP connection when Bro terminates.
## Generated for each still-open TCP connection when Zeek terminates.
##
## c: The connection.
##
@ -154,7 +154,7 @@ event connection_reset%(c: connection%);
## new_connection new_connection_contents partial_connection zeek_done
event connection_pending%(c: connection%);
## Generated for a SYN packet. Bro raises this event for every SYN packet seen
## Generated for a SYN packet. Zeek raises this event for every SYN packet seen
## by its TCP analyzer.
##
## c: The connection.
@ -283,11 +283,25 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%);
## application-layer protocol analyzers internally. Subsequent invocations of
## this event for the same connection receive non-overlapping in-order chunks
## of its TCP payload stream. It is however undefined what size each chunk
## has; while Bro passes the data on as soon as possible, specifics depend on
## has; while Zeek passes the data on as soon as possible, specifics depend on
## network-level effects such as latency, acknowledgements, reordering, etc.
event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%);
## TODO.
## Generated for each detected TCP segment retransmission.
##
## c: The connection the packet is part of.
##
## is_orig: True if the packet was sent by the connection's originator.
##
## seq: The segment's relative TCP sequence number.
##
## len: The length of the TCP segment, as specified in the packet header.
##
## data_in_flight: The number of bytes corresponding to the difference between
## the last sequence number and last acknowledgement number
## we've seen for a given endpoint.
##
## window: the TCP window size.
event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%);
## Generated if a TCP flow crosses a checksum-error threshold, per

2
src/analyzer/protocol/tcp/functions.bif
View file

@ -77,7 +77,7 @@ function get_resp_seq%(cid: conn_id%): count
## responder (often the server).
## - ``CONTENTS_BOTH``: Record the data sent in both directions.
## Results in the two directions being intermixed in the file,
## in the order the data was seen by Bro.
## in the order the data was seen by Zeek.
##
## f: The file handle of the file to write the contents to.
##

58
src/bro.bif
View file

@ -4,7 +4,7 @@
##! filtering, interprocess communication and controlling protocol analyzer
##! behavior.
##!
##! You'll find most of Bro's built-in functions that aren't protocol-specific
##! You'll find most of Zeek's built-in functions that aren't protocol-specific
##! in this file.
%%{ // C segment
@ -304,7 +304,7 @@ static int next_fmt(const char*& fmt, val_list* args, ODesc* d, int& n)
## Returns the current wall-clock time.
##
## In general, you should use :zeek:id:`network_time` instead
## unless you are using Bro for non-networking uses (such as general
## unless you are using Zeek for non-networking uses (such as general
## scripting; not particularly recommended), because otherwise your script
## may behave very differently on live traffic versus played-back traffic
## from a save file.
@ -364,7 +364,7 @@ function setenv%(var: string, val: string%): bool
return val_mgr->GetBool(1);
%}
## Shuts down the Bro process immediately.
## Shuts down the Zeek process immediately.
##
## code: The exit code to return with.
##
@ -375,12 +375,12 @@ function exit%(code: int%): any
return 0;
%}
## Gracefully shut down Bro by terminating outstanding processing.
## Gracefully shut down Zeek by terminating outstanding processing.
##
## Returns: True after successful termination and false when Bro is still in
## Returns: True after successful termination and false when Zeek is still in
## the process of shutting down.
##
## .. zeek:see:: exit bro_is_terminating
## .. zeek:see:: exit zeek_is_terminating
function terminate%(%): bool
%{
if ( terminating )
@ -600,7 +600,7 @@ function sha256_hash%(...%): string
%}
## Computes an HMAC-MD5 hash value of the provided list of arguments. The HMAC
## secret key is generated from available entropy when Bro starts up, or it can
## secret key is generated from available entropy when Zeek starts up, or it can
## be specified for repeatability using the ``-K`` command line flag.
##
## Returns: The HMAC-MD5 hash value of the concatenated arguments.
@ -893,7 +893,7 @@ function syslog%(s: string%): any
return 0;
%}
## Determines the MIME type of a piece of data using Bro's file magic
## Determines the MIME type of a piece of data using Zeek's file magic
## signatures.
##
## data: The data to find the MIME type for.
@ -918,7 +918,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string
return new StringVal(strongest_match);
%}
## Determines the MIME type of a piece of data using Bro's file magic
## Determines the MIME type of a piece of data using Zeek's file magic
## signatures.
##
## data: The data for which to find matching MIME types.
@ -1705,7 +1705,7 @@ function log10%(d: double%): double
# ===========================================================================
## Determines whether a connection has been received externally. For example,
## Broccoli or the Time Machine can send packets to Bro via a mechanism that is
## Broccoli or the Time Machine can send packets to Zeek via a mechanism that is
## one step lower than sending events. This function checks whether the packets
## of a connection stem from one of these external *packet sources*.
##
@ -1726,9 +1726,9 @@ function current_analyzer%(%) : count
return val_mgr->GetCount(mgr.CurrentAnalyzer());
%}
## Returns Bro's process ID.
## Returns Zeek's process ID.
##
## Returns: Bro's process ID.
## Returns: Zeek's process ID.
function getpid%(%) : count
%{
return val_mgr->GetCount(getpid());
@ -1780,7 +1780,7 @@ function record_type_to_vector%(rt: string%): string_vec
return result;
%}
## Returns the type name of an arbitrary Bro variable.
## Returns the type name of an arbitrary Zeek variable.
##
## t: An arbitrary object.
##
@ -1796,9 +1796,9 @@ function type_name%(t: any%): string
return new StringVal(s);
%}
## Checks whether Bro reads traffic from one or more network interfaces (as
## Checks whether Zeek reads traffic from one or more network interfaces (as
## opposed to from a network trace in a file). Note that this function returns
## true even after Bro has stopped reading network traffic, for example due to
## true even after Zeek has stopped reading network traffic, for example due to
## receiving a termination signal.
##
## Returns: True if reading traffic from a network interface.
@ -1809,7 +1809,7 @@ function reading_live_traffic%(%): bool
return val_mgr->GetBool(reading_live);
%}
## Checks whether Bro reads traffic from a trace file (as opposed to from a
## Checks whether Zeek reads traffic from a trace file (as opposed to from a
## network interface).
##
## Returns: True if reading traffic from a network trace.
@ -2098,9 +2098,9 @@ function zeek_is_terminating%(%): bool
return val_mgr->GetBool(terminating);
%}
## Returns the hostname of the machine Bro runs on.
## Returns the hostname of the machine Zeek runs on.
##
## Returns: The hostname of the machine Bro runs on.
## Returns: The hostname of the machine Zeek runs on.
function gethostname%(%) : string
%{
char buffer[MAXHOSTNAMELEN];
@ -3911,7 +3911,7 @@ static bool mmdb_try_open_asn ()
%%}
## Initializes MMDB for later use of lookup_location.
## Requires Bro to be built with ``libmaxminddb``.
## Requires Zeek to be built with ``libmaxminddb``.
##
## f: The filename of the MaxMind City or Country DB.
##
@ -3928,7 +3928,7 @@ function mmdb_open_location_db%(f: string%) : bool
%}
## Initializes MMDB for later use of lookup_asn.
## Requires Bro to be built with ``libmaxminddb``.
## Requires Zeek to be built with ``libmaxminddb``.
##
## f: The filename of the MaxMind ASN DB.
##
@ -3945,7 +3945,7 @@ function mmdb_open_asn_db%(f: string%) : bool
%}
## Performs a geo-lookup of an IP address.
## Requires Bro to be built with ``libmaxminddb``.
## Requires Zeek to be built with ``libmaxminddb``.
##
## a: The IP address to lookup.
##
@ -4030,7 +4030,7 @@ function lookup_location%(a: addr%) : geo_location
%}
## Performs an ASN lookup of an IP address.
## Requires Bro to be built with ``libmaxminddb``.
## Requires Zeek to be built with ``libmaxminddb``.
##
## a: The IP address to lookup.
##
@ -4248,8 +4248,8 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
return val_mgr->GetBool(1);
%}
## Informs Bro that it should skip any further processing of the contents of
## a given connection. In particular, Bro will refrain from reassembling the
## Informs Zeek that it should skip any further processing of the contents of
## a given connection. In particular, Zeek will refrain from reassembling the
## TCP byte stream and from generating events relating to any analyzers that
## have been processing the connection.
##
@ -4260,7 +4260,7 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
##
## .. note::
##
## Bro will still generate connection-oriented events such as
## Zeek will still generate connection-oriented events such as
## :zeek:id:`connection_finished`.
function skip_further_processing%(cid: conn_id%): bool
%{
@ -4287,7 +4287,7 @@ function skip_further_processing%(cid: conn_id%): bool
##
## .. note::
##
## This is independent of whether Bro processes the packets of this
## This is independent of whether Zeek processes the packets of this
## connection, which is controlled separately by
## :zeek:id:`skip_further_processing`.
##
@ -4671,7 +4671,7 @@ function file_size%(f: string%) : double
## Disables sending :zeek:id:`print_hook` events to remote peers for a given
## file. In a
## distributed setup, communicating Bro instances generate the event
## distributed setup, communicating Zeek instances generate the event
## :zeek:id:`print_hook` for each print statement and send it to the remote
## side. When disabled for a particular file, these events will not be
## propagated to other peers.
@ -4958,7 +4958,7 @@ function is_remote_event%(%) : bool
return val_mgr->GetBool(mgr.CurrentSource() != SOURCE_LOCAL);
%}
## Stops Bro's packet processing. This function is used to synchronize
## Stops Zeek's packet processing. This function is used to synchronize
## distributed trace processing with communication enabled
## (*pseudo-realtime* mode).
##
@ -4969,7 +4969,7 @@ function suspend_processing%(%) : any
return 0;
%}
## Resumes Bro's packet processing.
## Resumes Zeek's packet processing.
##
## .. zeek:see:: suspend_processing
function continue_processing%(%) : any

2
src/broker/data.bif
View file

@ -8,7 +8,7 @@
module Broker;
## Enumerates the possible types that :zeek:see:`Broker::Data` may be in
## terms of Bro data types.
## terms of Zeek data types.
enum DataType %{
NONE,
BOOL,

2
src/const.bif
View file

@ -1,4 +1,4 @@
##! Declaration of various scripting-layer constants that the Bro core uses
##! Declaration of various scripting-layer constants that the Zeek core uses
##! internally. Documentation and default values for the scripting-layer
##! variables themselves are found in :doc:`/scripts/base/init-bare.zeek`.

100
src/event.bif
View file

@ -1,4 +1,4 @@
##! The protocol-independent events that the C/C++ core of Bro can generate.
##! The protocol-independent events that the C/C++ core of Zeek can generate.
##!
##! This is mostly events not related to a specific transport- or
##! application-layer protocol, but also includes a few that may be generated
@ -68,7 +68,7 @@ event zeek_done%(%);
event bro_done%(%) &deprecated;
## Generated for every new connection. This event is raised with the first
## packet of a previously unknown connection. Bro uses a flow-based definition
## packet of a previously unknown connection. Zeek uses a flow-based definition
## of "connection" here that includes not only TCP sessions but also UDP and
## ICMP flows.
##
@ -94,7 +94,7 @@ event new_connection%(c: connection%);
## *tunnel* field is NOT automatically/internally assigned to the new
## encapsulation value of *e* after this event is raised. If the desired
## behavior is to track the latest tunnel encapsulation per-connection,
## then a handler of this event should assign *e* to ``c$tunnel`` (which Bro's
## then a handler of this event should assign *e* to ``c$tunnel`` (which Zeek's
## default scripts are doing).
##
## c: The connection whose tunnel/encapsulation changed.
@ -128,7 +128,7 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%);
event connection_timeout%(c: connection%);
## Generated when a connection's internal state is about to be removed from
## memory. Bro generates this event reliably once for every connection when it
## memory. Zeek generates this event reliably once for every connection when it
## is about to delete the internal state. As such, the event is well-suited for
## script-level cleanup that needs to be performed for every connection. This
## event is generated not only for TCP sessions but also for UDP and ICMP
@ -145,7 +145,7 @@ event connection_timeout%(c: connection%);
## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats
event connection_state_remove%(c: connection%);
## Generated when a connection 4-tuple is reused. This event is raised when Bro
## Generated when a connection 4-tuple is reused. This event is raised when Zeek
## sees a new TCP session or UDP flow using a 4-tuple matching that of an
## earlier connection it still considers active.
##
@ -188,7 +188,7 @@ event connection_status_update%(c: connection%);
event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: count, new_label: count%);
## Generated for a new connection received from the communication subsystem.
## Remote peers can inject packets into Bro's packet loop, for example via
## Remote peers can inject packets into Zeek's packet loop, for example via
## Broccoli. The communication system
## raises this event with the first packet of a connection coming in this way.
##
@ -198,7 +198,7 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co
event connection_external%(c: connection, tag: string%);
## Generated when a UDP session for a supported protocol has finished. Some of
## Bro's application-layer UDP analyzers flag the end of a session by raising
## Zeek's application-layer UDP analyzers flag the end of a session by raising
## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA,
## Teredo, and GTPv1 support this.
##
@ -208,7 +208,7 @@ event connection_external%(c: connection, tag: string%);
event udp_session_done%(u: connection%);
## Generated when a connection is seen that is marked as being expected.
## The function :zeek:id:`Analyzer::schedule_analyzer` tells Bro to expect a
## The function :zeek:id:`Analyzer::schedule_analyzer` tells Zeek to expect a
## particular connection to come up, and which analyzer to associate with it.
## Once the first packet of such a connection is indeed seen, this event is
## raised.
@ -231,7 +231,7 @@ event udp_session_done%(u: connection%);
## ``ANALYZER_*`` constants right now.
event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%);
## Generated for every packet Bro sees that have a valid link-layer header. This
## Generated for every packet Zeek sees that have a valid link-layer header. This
## is a very very low-level and expensive event that should be avoided when at all
## possible. It's usually infeasible to handle when processing even medium volumes
## of traffic in real-time. That said, if you work from a trace and want to do some
@ -242,7 +242,7 @@ event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%);
## .. zeek:see:: new_packet packet_contents
event raw_packet%(p: raw_pkt_hdr%);
## Generated for all packets that make it into Bro's connection processing. In
## Generated for all packets that make it into Zeek's connection processing. In
## contrast to :zeek:id:`raw_packet` this filters out some more packets that don't
## pass certain sanity checks.
##
@ -298,8 +298,8 @@ event mobile_ipv6_message%(p: pkt_hdr%);
## .. zeek:see:: new_packet tcp_packet
event packet_contents%(c: connection, contents: string%);
## Generated when Bro detects a TCP retransmission inconsistency. When
## reassembling a TCP stream, Bro buffers all payload until it sees the
## Generated when Zeek detects a TCP retransmission inconsistency. When
## reassembling a TCP stream, Zeek buffers all payload until it sees the
## responder acking it. If during that time, the sender resends a chunk of
## payload but with different content than originally, this event will be
## raised. In addition, if :zeek:id:`tcp_max_old_segments` is larger than zero,
@ -320,10 +320,10 @@ event packet_contents%(c: connection, contents: string%);
## .. zeek:see:: tcp_rexmit tcp_contents
event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: string%);
## Generated when Bro detects a gap in a reassembled TCP payload stream. This
## event is raised when Bro, while reassembling a payload stream, determines
## Generated when Zeek detects a gap in a reassembled TCP payload stream. This
## event is raised when Zeek, while reassembling a payload stream, determines
## that a chunk of payload is missing (e.g., because the responder has already
## acknowledged it, even though Bro didn't see it).
## acknowledged it, even though Zeek didn't see it).
##
## c: The connection.
##
@ -343,7 +343,7 @@ event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: st
event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
## Generated when a protocol analyzer confirms that a connection is indeed
## using that protocol. Bro's dynamic protocol detection heuristically activates
## using that protocol. Zeek's dynamic protocol detection heuristically activates
## analyzers as soon as it believes a connection *could* be using a particular
## protocol. It is then left to the corresponding analyzer to verify whether
## that is indeed the case; if so, this event will be generated.
@ -364,13 +364,13 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
##
## .. note::
##
## Bro's default scripts use this event to determine the ``service`` column
## Zeek's default scripts use this event to determine the ``service`` column
## of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed
## there (and thus in ``conn.log``).
event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
## Generated when a protocol analyzer determines that a connection it is parsing
## is not conforming to the protocol it expects. Bro's dynamic protocol
## is not conforming to the protocol it expects. Zeek's dynamic protocol
## detection heuristically activates analyzers as soon as it believes a
## connection *could* be using a particular protocol. It is then left to the
## corresponding analyzer to verify whether that is indeed the case; if not,
@ -394,14 +394,14 @@ event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
##
## .. note::
##
## Bro's default scripts use this event to disable an analyzer via
## Zeek's default scripts use this event to disable an analyzer via
## :zeek:id:`disable_analyzer` if it's parsing the wrong protocol. That's
## however a script-level decision and not done automatically by the event
## engine.
event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%);
## Generated when a TCP connection terminated, passing on statistics about the
## two endpoints. This event is always generated when Bro flushes the internal
## two endpoints. This event is always generated when Zeek flushes the internal
## connection state, independent of how a connection terminates.
##
## c: The connection.
@ -414,12 +414,12 @@ event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reaso
event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
## Generated for unexpected activity related to a specific connection. When
## Bro's packet analysis encounters activity that does not conform to a
## Zeek's packet analysis encounters activity that does not conform to a
## protocol's specification, it raises one of the ``*_weird`` events to report
## that. This event is raised if the activity is tied directly to a specific
## connection.
##
## name: A unique name for the specific type of "weird" situation. Bro's default
## name: A unique name for the specific type of "weird" situation. Zeek's default
## scripts use this name in filtering policies that specify which
## "weirds" are worth reporting.
##
@ -436,13 +436,13 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
event conn_weird%(name: string, c: connection, addl: string%);
## Generated for unexpected activity related to a pair of hosts, but independent
## of a specific connection. When Bro's packet analysis encounters activity
## of a specific connection. When Zeek's packet analysis encounters activity
## that does not conform to a protocol's specification, it raises one of
## the ``*_weird`` events to report that. This event is raised if the activity
## is related to a pair of hosts, yet not to a specific connection between
## them.
##
## name: A unique name for the specific type of "weird" situation. Bro's default
## name: A unique name for the specific type of "weird" situation. Zeek's default
## scripts use this name in filtering policies that specify which
## "weirds" are worth reporting.
##
@ -459,12 +459,12 @@ event conn_weird%(name: string, c: connection, addl: string%);
event flow_weird%(name: string, src: addr, dst: addr%);
## Generated for unexpected activity that is not tied to a specific connection
## or pair of hosts. When Bro's packet analysis encounters activity that
## or pair of hosts. When Zeek's packet analysis encounters activity that
## does not conform to a protocol's specification, it raises one of the
## ``*_weird`` events to report that. This event is raised if the activity is
## not tied directly to a specific connection or pair of hosts.
##
## name: A unique name for the specific type of "weird" situation. Bro's default
## name: A unique name for the specific type of "weird" situation. Zeek's default
## scripts use this name in filtering policies that specify which
## "weirds" are worth reporting.
##
@ -477,11 +477,11 @@ event flow_weird%(name: string, src: addr, dst: addr%);
event net_weird%(name: string%);
## Generated for unexpected activity that is tied to a file.
## When Bro's packet analysis encounters activity that
## When Zeek's packet analysis encounters activity that
## does not conform to a protocol's specification, it raises one of the
## ``*_weird`` events to report that.
##
## name: A unique name for the specific type of "weird" situation. Bro's default
## name: A unique name for the specific type of "weird" situation. Zeek's default
## scripts use this name in filtering policies that specify which
## "weirds" are worth reporting.
##
@ -497,11 +497,11 @@ event net_weird%(name: string%);
## endpoint's implementation interprets an RFC quite liberally.
event file_weird%(name: string, f: fa_file, addl: string%);
## Generated regularly for the purpose of profiling Bro's processing. This event
## Generated regularly for the purpose of profiling Zeek's processing. This event
## is raised for every :zeek:id:`load_sample_freq` packet. For these packets,
## Bro records script-level functions executed during their processing as well
## Zeek records script-level functions executed during their processing as well
## as further internal locations. By sampling the processing in this form, one
## can understand where Bro spends its time.
## can understand where Zeek spends its time.
##
## samples: A set with functions and locations seen during the processing of
## the sampled packet.
@ -511,13 +511,13 @@ event file_weird%(name: string, f: fa_file, addl: string%);
## dmem: The difference in memory usage caused by processing the sampled packet.
event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
## Generated when a signature matches. Bro's signature engine provides
## Generated when a signature matches. Zeek's signature engine provides
## high-performance pattern matching separately from the normal script
## processing. If a signature with an ``event`` action matches, this event is
## raised.
##
## See the :doc:`user manual </frameworks/signatures>` for more information
## about Bro's signature engine.
## about Zeek's signature engine.
##
## state: Context about the match, including which signatures triggered the
## event and the connection for which the match was found.
@ -525,7 +525,7 @@ event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
## msg: The message passed to the ``event`` signature action.
##
## data: The last chunk of input that triggered the match. Note that the
## specifics here are not well-defined as Bro does not buffer any input.
## specifics here are not well-defined as Zeek does not buffer any input.
## If a match is split across packet boundaries, only the last chunk
## triggering the match will be passed on to the event.
event signature_match%(state: signature_state, msg: string, data: string%);
@ -572,7 +572,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%);
## different analyzers. For example, the HTTP analyzer reports user-agent and
## server software by raising this event. Different from
## :zeek:id:`software_version_found` and :zeek:id:`software_parse_error`, this
## event is always raised, independent of whether Bro can parse the version
## event is always raised, independent of whether Zeek can parse the version
## string.
##
## c: The connection.
@ -584,7 +584,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%);
## .. zeek:see:: software_parse_error software_version_found OS_version_found
event software_unparsed_version_found%(c: connection, host: addr, str: string%);
## Generated when an operating system has been fingerprinted. Bro uses `p0f
## Generated when an operating system has been fingerprinted. Zeek uses `p0f
## <http://lcamtuf.coredump.cx/p0f.shtml>`__ to fingerprint endpoints passively,
## and it raises this event for each system identified. The p0f fingerprints are
## defined by :zeek:id:`passive_fingerprint_file`.
@ -600,7 +600,7 @@ event software_unparsed_version_found%(c: connection, host: addr, str: string%);
## generate_OS_version_event
event OS_version_found%(c: connection, host: addr, OS: OS_version%);
## Generated each time Bro's internal profiling log is updated. The file is
## Generated each time Zeek's internal profiling log is updated. The file is
## defined by :zeek:id:`profiling_file`, and its update frequency by
## :zeek:id:`profiling_interval` and :zeek:id:`expensive_profiling_multiple`.
##
@ -612,7 +612,7 @@ event OS_version_found%(c: connection, host: addr, OS: OS_version%);
## .. zeek:see:: profiling_interval expensive_profiling_multiple
event profiling_update%(f: file, expensive: bool%);
## Raised for informational messages reported via Bro's reporter framework. Such
## Raised for informational messages reported via Zeek's reporter framework. Such
## messages may be generated internally by the event engine and also by other
## scripts calling :zeek:id:`Reporter::info`.
##
@ -626,12 +626,12 @@ event profiling_update%(f: file, expensive: bool%);
## .. zeek:see:: reporter_warning reporter_error Reporter::info Reporter::warning
## Reporter::error
##
## .. note:: Bro will not call reporter events recursively. If the handler of
## .. note:: Zeek will not call reporter events recursively. If the handler of
## any reporter event triggers a new reporter message itself, the output
## will go to ``stderr`` instead.
event reporter_info%(t: time, msg: string, location: string%) &error_handler;
## Raised for warnings reported via Bro's reporter framework. Such messages may
## Raised for warnings reported via Zeek's reporter framework. Such messages may
## be generated internally by the event engine and also by other scripts calling
## :zeek:id:`Reporter::warning`.
##
@ -645,12 +645,12 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler;
## .. zeek:see:: reporter_info reporter_error Reporter::info Reporter::warning
## Reporter::error
##
## .. note:: Bro will not call reporter events recursively. If the handler of
## .. note:: Zeek will not call reporter events recursively. If the handler of
## any reporter event triggers a new reporter message itself, the output
## will go to ``stderr`` instead.
event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
## Raised for errors reported via Bro's reporter framework. Such messages may
## Raised for errors reported via Zeek's reporter framework. Such messages may
## be generated internally by the event engine and also by other scripts calling
## :zeek:id:`Reporter::error`.
##
@ -664,7 +664,7 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
## .. zeek:see:: reporter_info reporter_warning Reporter::info Reporter::warning
## Reporter::error
##
## .. note:: Bro will not call reporter events recursively. If the handler of
## .. note:: Zeek will not call reporter events recursively. If the handler of
## any reporter event triggers a new reporter message itself, the output
## will go to ``stderr`` instead.
event reporter_error%(t: time, msg: string, location: string%) &error_handler;
@ -680,7 +680,7 @@ event zeek_script_loaded%(path: string, level: count%);
## Deprecated synonym for :zeek:see:`zeek_script_loaded`.
event bro_script_loaded%(path: string, level: count%) &deprecated;
## Generated each time Bro's script interpreter opens a file. This event is
## Generated each time Zeek's script interpreter opens a file. This event is
## triggered only for files opened via :zeek:id:`open`, and in particular not for
## normal log files as created by log writers.
##
@ -796,7 +796,7 @@ event file_reassembly_overflow%(f: fa_file, offset: count, skipped: count%);
event file_state_remove%(f: fa_file%);
## Generated when an internal DNS lookup produces the same result as last time.
## Bro keeps an internal DNS cache for host names and IP addresses it has
## Zeek keeps an internal DNS cache for host names and IP addresses it has
## already resolved. This event is generated when a subsequent lookup returns
## the same result as stored in the cache.
##
@ -807,7 +807,7 @@ event file_state_remove%(f: fa_file%);
event dns_mapping_valid%(dm: dns_mapping%);
## Generated when an internal DNS lookup got no answer even though it had
## succeeded in the past. Bro keeps an internal DNS cache for host names and IP
## succeeded in the past. Zeek keeps an internal DNS cache for host names and IP
## addresses it has already resolved. This event is generated when a
## subsequent lookup does not produce an answer even though we have
## already stored a result in the cache.
@ -819,7 +819,7 @@ event dns_mapping_valid%(dm: dns_mapping%);
event dns_mapping_unverified%(dm: dns_mapping%);
## Generated when an internal DNS lookup succeeded but an earlier attempt
## did not. Bro keeps an internal DNS cache for host names and IP
## did not. Zeek keeps an internal DNS cache for host names and IP
## addresses it has already resolved. This event is generated when a subsequent
## lookup produces an answer for a query that was marked as failed in the cache.
##
@ -830,7 +830,7 @@ event dns_mapping_unverified%(dm: dns_mapping%);
event dns_mapping_new_name%(dm: dns_mapping%);
## Generated when an internal DNS lookup returned zero answers even though it
## had succeeded in the past. Bro keeps an internal DNS cache for host names
## had succeeded in the past. Zeek keeps an internal DNS cache for host names
## and IP addresses it has already resolved. This event is generated when
## on a subsequent lookup we receive an answer that is empty even
## though we have already stored a result in the cache.
@ -842,7 +842,7 @@ event dns_mapping_new_name%(dm: dns_mapping%);
event dns_mapping_lost_name%(dm: dns_mapping%);
## Generated when an internal DNS lookup produced a different result than in
## the past. Bro keeps an internal DNS cache for host names and IP addresses
## the past. Zeek keeps an internal DNS cache for host names and IP addresses
## it has already resolved. This event is generated when a subsequent lookup
## returns a different answer than we have stored in the cache.
##
@ -858,7 +858,7 @@ event dns_mapping_lost_name%(dm: dns_mapping%);
## dns_mapping_valid
event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%);
## A meta event generated for events that Bro raises. This will report all
## A meta event generated for events that Zeek raises. This will report all
## events for which at least one handler is defined.
##
## Note that handling this meta event is expensive and should be limited to

8
src/probabilistic/bloom-filter.bif
View file

@ -23,7 +23,7 @@ module GLOBAL;
##
## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
## the filter will use :zeek:id:`global_hash_seed` if that's set, and
## otherwise use a local seed tied to the current Bro process. Only
## otherwise use a local seed tied to the current Zeek process. Only
## filters with the same seed can be merged with
## :zeek:id:`bloomfilter_merge`.
##
@ -60,7 +60,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count,
##
## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
## the filter will use :zeek:id:`global_hash_seed` if that's set, and
## otherwise use a local seed tied to the current Bro process. Only
## otherwise use a local seed tied to the current Zeek process. Only
## filters with the same seed can be merged with
## :zeek:id:`bloomfilter_merge`.
##
@ -104,7 +104,7 @@ function bloomfilter_basic_init2%(k: count, cells: count,
##
## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
## the filter will use :zeek:id:`global_hash_seed` if that's set, and
## otherwise use a local seed tied to the current Bro process. Only
## otherwise use a local seed tied to the current Zeek process. Only
## filters with the same seed can be merged with
## :zeek:id:`bloomfilter_merge`.
##
@ -206,7 +206,7 @@ function bloomfilter_clear%(bf: opaque of bloomfilter%): any
## Merges two Bloom filters.
##
## .. note:: Currently Bloom filters created by different Bro instances cannot
## .. note:: Currently Bloom filters created by different Zeek instances cannot
## be merged. In the future, this will be supported as long as both filters
## are created with the same name.
##

6
src/stats.bif
View file

@ -20,7 +20,7 @@ RecordType* ReporterStats;
%%}
## Returns packet capture statistics. Statistics include the number of
## packets *(i)* received by Bro, *(ii)* dropped, and *(iii)* seen on the
## packets *(i)* received by Zeek, *(ii)* dropped, and *(iii)* seen on the
## link (not always available).
##
## Returns: A record of packet statistics.
@ -70,7 +70,7 @@ function get_net_stats%(%): NetStats
return r;
%}
## Returns Bro traffic statistics.
## Returns Zeek traffic statistics.
##
## Returns: A record with connection and packet statistics.
##
@ -121,7 +121,7 @@ function get_conn_stats%(%): ConnStats
return r;
%}
## Returns Bro process statistics.
## Returns Zeek process statistics.
##
## Returns: A record with process statistics.
##

2
src/strings.bif
View file

@ -160,7 +160,7 @@ function join_string_vec%(vec: string_vec, sep: string%): string
## arg_s: The string to edit.
##
## arg_edit_char: A string of exactly one character that represents the
## "backspace character". If it is longer than one character Bro
## "backspace character". If it is longer than one character Zeek
## generates a run-time error and uses the first character in
## the string.
##

2
src/types.bif
View file

@ -1,4 +1,4 @@
##! Declaration of various types that the Bro core uses internally.
##! Declaration of various types that the Zeek core uses internally.
enum rpc_status %{
RPC_SUCCESS,

4
src/zeekygen/zeekygen.bif
View file

@ -31,7 +31,7 @@ function get_identifier_comments%(name: string%): string
%}
## Retrieve the Zeekygen-style summary comments (``##!``) associated with
## a Bro script.
## a Zeek script.
##
## name: the name of a Zeek script. It must be a relative path to where
## it is located within a particular component of ZEEKPATH and use
@ -50,7 +50,7 @@ function get_script_comments%(name: string%): string
return comments_to_val(d->GetComments());
%}
## Retrieve the contents of a Bro script package's README file.
## Retrieve the contents of a Zeek script package's README file.
##
## name: the name of a Zeek script package. It must be a relative path
## to where it is located within a particular component of ZEEKPATH.