Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 01:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
doc/scripts/base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek
==================================================
.. zeek:namespace:: AF_Packet
.. zeek:namespace:: GLOBAL
:Namespaces: AF_Packet, GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

116
doc/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,116 @@
:tocdepth: 3
base/bif/plugins/Zeek_ARP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================== =====================================================
:zeek:id:`arp_reply`: :zeek:type:`event` Generated for ARP replies.
:zeek:id:`arp_request`: :zeek:type:`event` Generated for ARP requests.
:zeek:id:`bad_arp`: :zeek:type:`event` Generated for ARP packets that Zeek cannot interpret.
========================================== =====================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: arp_reply
:source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 43 43
:Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
Generated for ARP replies.
See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
for more information about the ARP protocol.
:param mac_src: The reply's source MAC address.
:param mac_dst: The reply's destination MAC address.
:param SPA: The sender protocol address.
:param SHA: The sender hardware address.
:param TPA: The target protocol address.
:param THA: The target hardware address.
.. zeek:see:: arp_request bad_arp
.. zeek:id:: arp_request
:source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 22 22
:Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
Generated for ARP requests.
See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
for more information about the ARP protocol.
:param mac_src: The request's source MAC address.
:param mac_dst: The request's destination MAC address.
:param SPA: The sender protocol address.
:param SHA: The sender hardware address.
:param TPA: The target protocol address.
:param THA: The target hardware address.
.. zeek:see:: arp_reply bad_arp
.. zeek:id:: bad_arp
:source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 66 66
:Type: :zeek:type:`event` (SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`, explanation: :zeek:type:`string`)
Generated for ARP packets that Zeek cannot interpret. Examples are packets
with non-standard hardware address formats or hardware addresses that do not
match the originator of the packet.
:param SPA: The sender protocol address.
:param SHA: The sender hardware address.
:param TPA: The target protocol address.
:param THA: The target hardware address.
:param explanation: A short description of why the ARP packet is considered "bad".
.. zeek:see:: arp_reply arp_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

16
doc/scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: InputAscii
:Namespaces: GLOBAL, InputAscii
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: LogAscii
:Namespaces: GLOBAL, LogAscii
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek
========================================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: InputBenchmark
:Namespaces: GLOBAL, InputBenchmark
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

16
doc/scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek
==================================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: InputBinary
:Namespaces: GLOBAL, InputBinary
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

328
doc/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,328 @@
:tocdepth: 3
base/bif/plugins/Zeek_BitTorrent.events.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================= =====
:zeek:id:`bittorrent_peer_bitfield`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_cancel`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_choke`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_handshake`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_have`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_interested`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_keep_alive`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_not_interested`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_piece`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_port`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_request`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_unchoke`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_unknown`: :zeek:type:`event` TODO.
:zeek:id:`bittorrent_peer_weird`: :zeek:type:`event` TODO.
:zeek:id:`bt_tracker_request`: :zeek:type:`event` TODO.
:zeek:id:`bt_tracker_response`: :zeek:type:`event` TODO.
:zeek:id:`bt_tracker_response_not_ok`: :zeek:type:`event` TODO.
:zeek:id:`bt_tracker_weird`: :zeek:type:`event` TODO.
============================================================= =====
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: bittorrent_peer_bitfield
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 105 105
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, bitfield: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_cancel
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 144 144
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, length: :zeek:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_choke
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 40 40
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_handshake
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 14 14
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, reserved: :zeek:type:`string`, info_hash: :zeek:type:`string`, peer_id: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_have
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 92 92
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, piece_index: :zeek:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_interested
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 66 66
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_keep_alive
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 27 27
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_not_interested
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 79 79
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_piece
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 131 131
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, piece_length: :zeek:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_port
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 157 157
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, listen_port: :zeek:type:`port`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_request
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 118 118
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, length: :zeek:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_unchoke
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 53 53
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_unknown
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 170 170
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, message_id: :zeek:type:`count`, data: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_weird
.. zeek:id:: bittorrent_peer_weird
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 183 183
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown
.. zeek:id:: bt_tracker_request
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 196 196
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, uri: :zeek:type:`string`, headers: :zeek:type:`bt_tracker_headers`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bt_tracker_response
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 209 209
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, status: :zeek:type:`count`, headers: :zeek:type:`bt_tracker_headers`, peers: :zeek:type:`bittorrent_peer_set`, benc: :zeek:type:`bittorrent_benc_dir`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bt_tracker_response_not_ok
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 222 222
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, status: :zeek:type:`count`, headers: :zeek:type:`bt_tracker_headers`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird
.. zeek:id:: bt_tracker_weird
:source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 235 235
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
more information about the BitTorrent protocol.
.. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
bittorrent_peer_unknown bittorrent_peer_weird

29
doc/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek.rst Normal file
View file

@ -0,0 +1,29 @@
:tocdepth: 3
base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek
============================================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
================================================================================== =
:zeek:id:`Cluster::Backend::ZeroMQ::spawn_zmq_proxy_thread`: :zeek:type:`function`
================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: Cluster::Backend::ZeroMQ::spawn_zmq_proxy_thread
:source-code: base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek 6 6
:Type: :zeek:type:`function` () : :zeek:type:`bool`

54
doc/scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,54 @@
:tocdepth: 3
base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek
=======================================================
.. zeek:namespace:: Cluster
.. zeek:namespace:: GLOBAL
:Namespaces: Cluster, GLOBAL
Summary
~~~~~~~
Events
######
============================================================== ====================================================
:zeek:id:`Cluster::websocket_client_added`: :zeek:type:`event` Generated when a new WebSocket client has connected.
:zeek:id:`Cluster::websocket_client_lost`: :zeek:type:`event` Generated when a WebSocket client was lost.
============================================================== ====================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: Cluster::websocket_client_added
:source-code: base/frameworks/cluster/main.zeek 700 705
:Type: :zeek:type:`event` (endpoint: :zeek:type:`Cluster::EndpointInfo`, subscriptions: :zeek:type:`string_vec`)
Generated when a new WebSocket client has connected.
:param endpoint: Various information about the WebSocket client.
:param subscriptions: The WebSocket client's subscriptions as provided in the handshake.
.. zeek:id:: Cluster::websocket_client_lost
:source-code: base/frameworks/cluster/main.zeek 707 713
:Type: :zeek:type:`event` (endpoint: :zeek:type:`Cluster::EndpointInfo`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
Generated when a WebSocket client was lost.
:param endpoint: Various information about the WebSocket client.
:param code: The code sent by the client in its CLOSE frame, or a code generated
internally if the server disconnected the client.
:param reason: The reason sent by the client in its CLOSE frame, or a reason generated
internally if the server disconnected the client.

16
doc/scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_ConfigReader.config.bif.zeek
==================================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: InputConfig
:Namespaces: GLOBAL, InputConfig
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

112
doc/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,112 @@
:tocdepth: 3
base/bif/plugins/Zeek_ConnSize.events.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================================== =============================================================================================================
:zeek:id:`conn_bytes_threshold_crossed`: :zeek:type:`event` Generated for a connection that crossed a set byte threshold.
:zeek:id:`conn_duration_threshold_crossed`: :zeek:type:`event` Generated for a connection that crossed a set duration threshold.
:zeek:id:`conn_generic_packet_threshold_crossed`: :zeek:type:`event` Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_thresholds` packets have been
observed.
:zeek:id:`conn_packets_threshold_crossed`: :zeek:type:`event` Generated for a connection that crossed a set packet threshold.
==================================================================== =============================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: conn_bytes_threshold_crossed
:source-code: base/protocols/conn/thresholds.zeek 320 337
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
Generated for a connection that crossed a set byte threshold. Note that this
is a low level event that should usually be avoided for user code. Use
:zeek:see:`ConnThreshold::bytes_threshold_crossed` instead.
:param c: the connection
:param threshold: the threshold that was set
:param is_orig: true if the threshold was crossed by the originator of the connection
.. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold conn_duration_threshold_crossed
set_current_conn_duration_threshold get_current_conn_duration_threshold
.. zeek:id:: conn_duration_threshold_crossed
:source-code: base/protocols/conn/thresholds.zeek 358 370
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`interval`, is_orig: :zeek:type:`bool`)
Generated for a connection that crossed a set duration threshold. Note that this
is a low level event that should usually be avoided for user code. Use
:zeek:see:`ConnThreshold::duration_threshold_crossed` instead.
Note that this event is not raised at the exact moment that a duration threshold is crossed; instead
it is raised when the next packet is seen after the threshold has been crossed. On a connection that is
idle, this can be raised significantly later.
:param c: the connection
:param threshold: the threshold that was set
:param is_orig: true if the threshold was crossed by the originator of the connection
.. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
set_current_conn_duration_threshold get_current_conn_duration_threshold
.. zeek:id:: conn_generic_packet_threshold_crossed
:source-code: base/bif/plugins/Zeek_ConnSize.events.bif.zeek 63 63
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`)
Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_thresholds` packets have been
observed. Only one endpoint sending traffic is sufficient to trigger the event. This allows to handle new
connections, while short interactions, like scans consisting of only a few packets, are ignored.
:param c: the connection.
:param threshold: the threshold that was set
.. zeek:id:: conn_packets_threshold_crossed
:source-code: base/protocols/conn/thresholds.zeek 339 356
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
Generated for a connection that crossed a set packet threshold. Note that this
is a low level event that should usually be avoided for user code. Use
:zeek:see:`ConnThreshold::packets_threshold_crossed` instead.
:param c: the connection
:param threshold: the threshold that was set
:param is_orig: true if the threshold was crossed by the originator of the connection
.. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold conn_duration_threshold_crossed
set_current_conn_duration_threshold get_current_conn_duration_threshold

147
doc/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,147 @@
:tocdepth: 3
base/bif/plugins/Zeek_ConnSize.functions.bif.zeek
=================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
===================================================================== ===================================================================================
:zeek:id:`get_current_conn_bytes_threshold`: :zeek:type:`function`
:zeek:id:`get_current_conn_duration_threshold`: :zeek:type:`function` Gets the current duration threshold size for a connection.
:zeek:id:`get_current_conn_packets_threshold`: :zeek:type:`function` Gets the current packet threshold size for a connection.
:zeek:id:`set_current_conn_bytes_threshold`: :zeek:type:`function` Sets the current byte threshold for connection sizes, overwriting any potential old
threshold.
:zeek:id:`set_current_conn_duration_threshold`: :zeek:type:`function` Sets the current duration threshold for connection, overwriting any potential old
threshold.
:zeek:id:`set_current_conn_packets_threshold`: :zeek:type:`function` Sets a threshold for connection packets, overwriting any potential old thresholds.
===================================================================== ===================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: get_current_conn_bytes_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 63 63
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, is_orig: :zeek:type:`bool`) : :zeek:type:`count`
:param cid: The connection id.
:param is_orig: If true, threshold of originator, otherwise threshold of responder.
:returns: 0 if no threshold is set or the threshold in bytes
.. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_packets_threshold set_current_conn_duration_threshold
get_current_conn_duration_threshold
.. zeek:id:: get_current_conn_duration_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 87 87
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`interval`
Gets the current duration threshold size for a connection.
:param cid: The connection id.
:returns: 0 if no threshold is set or the threshold in seconds
.. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_packets_threshold set_current_conn_duration_threshold
.. zeek:id:: get_current_conn_packets_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 76 76
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, is_orig: :zeek:type:`bool`) : :zeek:type:`count`
Gets the current packet threshold size for a connection.
:param cid: The connection id.
:param is_orig: If true, threshold of originator, otherwise threshold of responder.
:returns: 0 if no threshold is set or the threshold in packets
.. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold set_current_conn_duration_threshold get_current_conn_duration_threshold
.. zeek:id:: set_current_conn_bytes_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 19 19
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
Sets the current byte threshold for connection sizes, overwriting any potential old
threshold. Be aware that in nearly any case you will want to use the high level API
instead (:zeek:see:`ConnThreshold::set_bytes_threshold`).
:param cid: The connection id.
:param threshold: Threshold in bytes.
:param is_orig: If true, threshold is set for bytes from originator, otherwise for bytes from responder.
.. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
set_current_conn_duration_threshold get_current_conn_duration_threshold
.. zeek:id:: set_current_conn_duration_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 49 49
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`interval`) : :zeek:type:`bool`
Sets the current duration threshold for connection, overwriting any potential old
threshold. Be aware that in nearly any case you will want to use the high level API
instead (:zeek:see:`ConnThreshold::set_duration_threshold`).
:param cid: The connection id.
:param threshold: Threshold in seconds.
.. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
get_current_conn_duration_threshold
.. zeek:id:: set_current_conn_packets_threshold
:source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 35 35
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
Sets a threshold for connection packets, overwriting any potential old thresholds.
Be aware that in nearly any case you will want to use the high level API
instead (:zeek:see:`ConnThreshold::set_packets_threshold`).
:param cid: The connection id.
:param threshold: Threshold in packets.
:param is_orig: If true, threshold is set for packets from originator, otherwise for packets from responder.
.. zeek:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
get_current_conn_bytes_threshold get_current_conn_packets_threshold
set_current_conn_duration_threshold get_current_conn_duration_threshold

15
doc/scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek
=============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

258
doc/scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,258 @@
:tocdepth: 3
base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek
=============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================= ==============================================================================================================================
:zeek:id:`dce_rpc_alter_context`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
:zeek:id:`dce_rpc_alter_context_resp`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
:zeek:id:`dce_rpc_bind`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
:zeek:id:`dce_rpc_bind_ack`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
:zeek:id:`dce_rpc_message`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
:zeek:id:`dce_rpc_request`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:zeek:id:`dce_rpc_request_stub`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:zeek:id:`dce_rpc_response`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
:zeek:id:`dce_rpc_response_stub`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
========================================================= ==============================================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: dce_rpc_alter_context
:source-code: base/protocols/dce-rpc/main.zeek 137 149
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, uuid: :zeek:type:`string`, ver_major: :zeek:type:`count`, ver_minor: :zeek:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
multiple times for a single RPC message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param uuid: The string interpreted uuid of the endpoint being requested.
:param ver_major: The major version of the endpoint being requested.
:param ver_minor: The minor version of the endpoint being requested.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp
.. zeek:id:: dce_rpc_alter_context_resp
:source-code: base/protocols/dce-rpc/main.zeek 162 165
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context
.. zeek:id:: dce_rpc_bind
:source-code: base/protocols/dce-rpc/main.zeek 123 135
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, uuid: :zeek:type:`string`, ver_major: :zeek:type:`count`, ver_minor: :zeek:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
multiple times for a single RPC message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param uuid: The string interpreted uuid of the endpoint being requested.
:param ver_major: The major version of the endpoint being requested.
:param ver_minor: The minor version of the endpoint being requested.
.. zeek:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
.. zeek:id:: dce_rpc_bind_ack
:source-code: base/protocols/dce-rpc/main.zeek 151 160
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, sec_addr: :zeek:type:`string`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param sec_addr: Secondary address for the ack.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
.. zeek:id:: dce_rpc_message
:source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 19 19
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, fid: :zeek:type:`count`, ptype_id: :zeek:type:`count`, ptype: :zeek:type:`DCE_RPC::PType`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
:param c: The connection.
:param is_orig: True if the message was sent by the originator of the TCP connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ptype_id: Numeric representation of the procedure type of the message.
:param ptype: Enum representation of the procedure type of the message.
.. zeek:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
.. zeek:id:: dce_rpc_request
:source-code: base/protocols/dce-rpc/main.zeek 167 175
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub_len: :zeek:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param opnum: Number of the RPC operation.
:param stub_len: Length of the data for the request.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response dce_rpc_request_stub
.. zeek:id:: dce_rpc_request_stub
:source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 143 143
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub: :zeek:type:`string`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param opnum: Number of the RPC operation.
:param stub: The data for the request.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response_stub dce_rpc_request
.. zeek:id:: dce_rpc_response
:source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 125 125
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub_len: :zeek:type:`count`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param opnum: Number of the RPC operation.
:param stub_len: Length of the data for the response.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response_stub
.. zeek:id:: dce_rpc_response_stub
:source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 161 161
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub: :zeek:type:`string`)
Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
:param c: The connection.
:param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
not transported over a pipe.
:param ctx_id: The context identifier of the data representation.
:param opnum: Number of the RPC operation.
:param stub: The data for the response.
.. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request_stub dce_rpc_response

107
doc/scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,107 @@
:tocdepth: 3
base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek
============================================
.. zeek:namespace:: DCE_RPC
.. zeek:namespace:: GLOBAL
:Namespaces: DCE_RPC, GLOBAL
Summary
~~~~~~~
Types
#####
============================================== =
:zeek:type:`DCE_RPC::IfID`: :zeek:type:`enum`
:zeek:type:`DCE_RPC::PType`: :zeek:type:`enum`
============================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: DCE_RPC::IfID
:source-code: base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek 33 33
:Type: :zeek:type:`enum`
.. zeek:enum:: DCE_RPC::unknown_if DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::epmapper DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::lsarpc DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::lsa_ds DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::mgmt DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::netlogon DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::samr DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::srvsvc DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::spoolss DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::drs DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::winspipe DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::wkssvc DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::oxid DCE_RPC::IfID
.. zeek:enum:: DCE_RPC::ISCMActivator DCE_RPC::IfID
.. zeek:type:: DCE_RPC::PType
:source-code: base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek 8 8
:Type: :zeek:type:`enum`
.. zeek:enum:: DCE_RPC::REQUEST DCE_RPC::PType
.. zeek:enum:: DCE_RPC::PING DCE_RPC::PType
.. zeek:enum:: DCE_RPC::RESPONSE DCE_RPC::PType
.. zeek:enum:: DCE_RPC::FAULT DCE_RPC::PType
.. zeek:enum:: DCE_RPC::WORKING DCE_RPC::PType
.. zeek:enum:: DCE_RPC::NOCALL DCE_RPC::PType
.. zeek:enum:: DCE_RPC::REJECT DCE_RPC::PType
.. zeek:enum:: DCE_RPC::ACK DCE_RPC::PType
.. zeek:enum:: DCE_RPC::CL_CANCEL DCE_RPC::PType
.. zeek:enum:: DCE_RPC::FACK DCE_RPC::PType
.. zeek:enum:: DCE_RPC::CANCEL_ACK DCE_RPC::PType
.. zeek:enum:: DCE_RPC::BIND DCE_RPC::PType
.. zeek:enum:: DCE_RPC::BIND_ACK DCE_RPC::PType
.. zeek:enum:: DCE_RPC::BIND_NAK DCE_RPC::PType
.. zeek:enum:: DCE_RPC::ALTER_CONTEXT DCE_RPC::PType
.. zeek:enum:: DCE_RPC::ALTER_CONTEXT_RESP DCE_RPC::PType
.. zeek:enum:: DCE_RPC::AUTH3 DCE_RPC::PType
.. zeek:enum:: DCE_RPC::SHUTDOWN DCE_RPC::PType
.. zeek:enum:: DCE_RPC::CO_CANCEL DCE_RPC::PType
.. zeek:enum:: DCE_RPC::ORPHANED DCE_RPC::PType
.. zeek:enum:: DCE_RPC::RTS DCE_RPC::PType

44
doc/scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,44 @@
:tocdepth: 3
base/bif/plugins/Zeek_DHCP.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================== ================================
:zeek:id:`dhcp_message`: :zeek:type:`event` Generated for all DHCP messages.
=========================================== ================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: dhcp_message
:source-code: base/protocols/dhcp/main.zeek 301 308
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`DHCP::Msg`, options: :zeek:type:`DHCP::Options`)
Generated for all DHCP messages.
:param c: The connection record describing the underlying UDP flow.
:param is_orig: Indicate if the message came in a packet from the
originator/client of the udp flow or the responder/server.
:param msg: The parsed type-independent part of the DHCP message. The message
type is indicated in this record.
:param options: The full set of supported and parsed DHCP options.

16
doc/scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_DHCP.types.bif.zeek
=========================================
.. zeek:namespace:: DHCP
.. zeek:namespace:: GLOBAL
:Namespaces: DHCP, GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

618
doc/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,618 @@
:tocdepth: 3
base/bif/plugins/Zeek_DNP3.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================================== ===========================================================================
:zeek:id:`dnp3_analog_input_16wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 2
analog input 16 bit with flag
:zeek:id:`dnp3_analog_input_16woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 4
analog input 16 bit without flag
:zeek:id:`dnp3_analog_input_32wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 1
analog input 32 bit with flag
:zeek:id:`dnp3_analog_input_32woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 3
analog input 32 bit without flag
:zeek:id:`dnp3_analog_input_DPwFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 6
analog input double precision, float point with flag
:zeek:id:`dnp3_analog_input_SPwFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 30 and variation number 5
analog input single precision, float point with flag
:zeek:id:`dnp3_analog_input_event_16wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 4
analog input event 16 bit with time
:zeek:id:`dnp3_analog_input_event_16woTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 2
analog input event 16 bit without time
:zeek:id:`dnp3_analog_input_event_32wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 3
analog input event 32 bit with time
:zeek:id:`dnp3_analog_input_event_32woTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 1
analog input event 32 bit without time
:zeek:id:`dnp3_analog_input_event_DPwTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 8
analog input event double-precision float point with time
:zeek:id:`dnp3_analog_input_event_DPwoTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 6
analog input event double-precision float point without time
:zeek:id:`dnp3_analog_input_event_SPwTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 7
analog input event single-precision float point with time
:zeek:id:`dnp3_analog_input_event_SPwoTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 32 and variation number 5
analog input event single-precision float point without time
:zeek:id:`dnp3_application_request_header`: :zeek:type:`event` Generated for a DNP3 request header.
:zeek:id:`dnp3_application_response_header`: :zeek:type:`event` Generated for a DNP3 response header.
:zeek:id:`dnp3_attribute_common`: :zeek:type:`event` Generated for DNP3 attributes.
:zeek:id:`dnp3_counter_16wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 20 and variation number 2
counter 16 bit with flag
:zeek:id:`dnp3_counter_16woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 20 and variation number 6
counter 16 bit without flag
:zeek:id:`dnp3_counter_32wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 20 and variation number 1
counter 32 bit with flag
:zeek:id:`dnp3_counter_32woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 20 and variation number 5
counter 32 bit without flag
:zeek:id:`dnp3_crob`: :zeek:type:`event` Generated for DNP3 objects with the group number 12 and variation number 1
CROB: control relay output block
:zeek:id:`dnp3_debug_byte`: :zeek:type:`event` Debugging event generated by the DNP3 analyzer.
:zeek:id:`dnp3_file_transport`: :zeek:type:`event` g70
:zeek:id:`dnp3_frozen_analog_input_16wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 2
frozen analog input 16 bit with flag
:zeek:id:`dnp3_frozen_analog_input_16wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 4
frozen analog input 16 bit with time-of-freeze
:zeek:id:`dnp3_frozen_analog_input_16woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 6
frozen analog input 16 bit without flag
:zeek:id:`dnp3_frozen_analog_input_32wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 1
frozen analog input 32 bit with flag
:zeek:id:`dnp3_frozen_analog_input_32wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 3
frozen analog input 32 bit with time-of-freeze
:zeek:id:`dnp3_frozen_analog_input_32woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 5
frozen analog input 32 bit without flag
:zeek:id:`dnp3_frozen_analog_input_DPwFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 8
frozen analog input double-precision, float point with flag
:zeek:id:`dnp3_frozen_analog_input_SPwFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 31 and variation number 7
frozen analog input single-precision, float point with flag
:zeek:id:`dnp3_frozen_analog_input_event_16wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 4
frozen analog input event 16 bit with time
:zeek:id:`dnp3_frozen_analog_input_event_16woTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 2
frozen analog input event 16 bit without time
:zeek:id:`dnp3_frozen_analog_input_event_32wTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 3
frozen analog input event 32 bit with time
:zeek:id:`dnp3_frozen_analog_input_event_32woTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 1
frozen analog input event 32 bit without time
:zeek:id:`dnp3_frozen_analog_input_event_DPwTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 34 and variation number 8
frozen analog input event double-precision float point with time
:zeek:id:`dnp3_frozen_analog_input_event_DPwoTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 6
frozen analog input event double-precision float point without time
:zeek:id:`dnp3_frozen_analog_input_event_SPwTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 7
frozen analog input event single-precision float point with time
:zeek:id:`dnp3_frozen_analog_input_event_SPwoTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 5
frozen analog input event single-precision float point without time
:zeek:id:`dnp3_frozen_counter_16wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 2
frozen counter 16 bit with flag
:zeek:id:`dnp3_frozen_counter_16wFlagTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 6
frozen counter 16 bit with flag and time
:zeek:id:`dnp3_frozen_counter_16woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 10
frozen counter 16 bit without flag
:zeek:id:`dnp3_frozen_counter_32wFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 1
frozen counter 32 bit with flag
:zeek:id:`dnp3_frozen_counter_32wFlagTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 5
frozen counter 32 bit with flag and time
:zeek:id:`dnp3_frozen_counter_32woFlag`: :zeek:type:`event` Generated for DNP3 objects with the group number 21 and variation number 9
frozen counter 32 bit without flag
:zeek:id:`dnp3_header_block`: :zeek:type:`event` Generated for an additional header that the DNP3 analyzer passes to the
script-level.
:zeek:id:`dnp3_object_header`: :zeek:type:`event` Generated for the object header found in both DNP3 requests and responses.
:zeek:id:`dnp3_object_prefix`: :zeek:type:`event` Generated for the prefix before a DNP3 object.
:zeek:id:`dnp3_pcb`: :zeek:type:`event` Generated for DNP3 objects with the group number 12 and variation number 2
PCB: Pattern Control Block
:zeek:id:`dnp3_response_data_object`: :zeek:type:`event` Generated for a DNP3 "Response_Data_Object".
====================================================================== ===========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: dnp3_analog_input_16wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 173 173
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 2
analog input 16 bit with flag
.. zeek:id:: dnp3_analog_input_16woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 183 183
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 4
analog input 16 bit without flag
.. zeek:id:: dnp3_analog_input_32wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 168 168
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 1
analog input 32 bit with flag
.. zeek:id:: dnp3_analog_input_32woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 178 178
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 3
analog input 32 bit without flag
.. zeek:id:: dnp3_analog_input_DPwFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 193 193
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 6
analog input double precision, float point with flag
.. zeek:id:: dnp3_analog_input_SPwFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 188 188
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 30 and variation number 5
analog input single precision, float point with flag
.. zeek:id:: dnp3_analog_input_event_16wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 253 253
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 4
analog input event 16 bit with time
.. zeek:id:: dnp3_analog_input_event_16woTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 243 243
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 2
analog input event 16 bit without time
.. zeek:id:: dnp3_analog_input_event_32wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 248 248
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 3
analog input event 32 bit with time
.. zeek:id:: dnp3_analog_input_event_32woTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 238 238
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 1
analog input event 32 bit without time
.. zeek:id:: dnp3_analog_input_event_DPwTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 273 273
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 8
analog input event double-precision float point with time
.. zeek:id:: dnp3_analog_input_event_DPwoTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 263 263
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 6
analog input event double-precision float point without time
.. zeek:id:: dnp3_analog_input_event_SPwTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 268 268
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 7
analog input event single-precision float point with time
.. zeek:id:: dnp3_analog_input_event_SPwoTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 258 258
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 32 and variation number 5
analog input event single-precision float point without time
.. zeek:id:: dnp3_application_request_header
:source-code: base/protocols/dnp3/main.zeek 49 59
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, application: :zeek:type:`count`, fc: :zeek:type:`count`)
Generated for a DNP3 request header.
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param fc: function code.
.. zeek:id:: dnp3_application_response_header
:source-code: base/protocols/dnp3/main.zeek 61 76
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, application: :zeek:type:`count`, fc: :zeek:type:`count`, iin: :zeek:type:`count`)
Generated for a DNP3 response header.
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param fc: function code.
:param iin: internal indication number.
.. zeek:id:: dnp3_attribute_common
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 103 103
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data_type_code: :zeek:type:`count`, leng: :zeek:type:`count`, attribute_obj: :zeek:type:`string`)
Generated for DNP3 attributes.
.. zeek:id:: dnp3_counter_16wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 123 123
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 2
counter 16 bit with flag
.. zeek:id:: dnp3_counter_16woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 133 133
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 6
counter 16 bit without flag
.. zeek:id:: dnp3_counter_32wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 118 118
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 1
counter 32 bit with flag
.. zeek:id:: dnp3_counter_32woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 128 128
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 20 and variation number 5
counter 32 bit without flag
.. zeek:id:: dnp3_crob
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 108 108
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, control_code: :zeek:type:`count`, count8: :zeek:type:`count`, on_time: :zeek:type:`count`, off_time: :zeek:type:`count`, status_code: :zeek:type:`count`)
Generated for DNP3 objects with the group number 12 and variation number 1
:param CROB: control relay output block
.. zeek:id:: dnp3_debug_byte
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 323 323
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, debug: :zeek:type:`string`)
Debugging event generated by the DNP3 analyzer. The "Debug_Byte" binpac unit
generates this for unknown "cases". The user can use it to debug the byte
string to check what caused the malformed network packets.
.. zeek:id:: dnp3_file_transport
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 317 317
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, file_handle: :zeek:type:`count`, block_num: :zeek:type:`count`, file_data: :zeek:type:`string`)
g70
.. zeek:id:: dnp3_frozen_analog_input_16wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 203 203
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 2
frozen analog input 16 bit with flag
.. zeek:id:: dnp3_frozen_analog_input_16wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 213 213
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 4
frozen analog input 16 bit with time-of-freeze
.. zeek:id:: dnp3_frozen_analog_input_16woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 223 223
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 6
frozen analog input 16 bit without flag
.. zeek:id:: dnp3_frozen_analog_input_32wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 198 198
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 1
frozen analog input 32 bit with flag
.. zeek:id:: dnp3_frozen_analog_input_32wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 208 208
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 3
frozen analog input 32 bit with time-of-freeze
.. zeek:id:: dnp3_frozen_analog_input_32woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 218 218
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 5
frozen analog input 32 bit without flag
.. zeek:id:: dnp3_frozen_analog_input_DPwFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 233 233
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 8
frozen analog input double-precision, float point with flag
.. zeek:id:: dnp3_frozen_analog_input_SPwFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 228 228
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 31 and variation number 7
frozen analog input single-precision, float point with flag
.. zeek:id:: dnp3_frozen_analog_input_event_16wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 293 293
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 4
frozen analog input event 16 bit with time
.. zeek:id:: dnp3_frozen_analog_input_event_16woTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 283 283
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 2
frozen analog input event 16 bit without time
.. zeek:id:: dnp3_frozen_analog_input_event_32wTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 288 288
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 3
frozen analog input event 32 bit with time
.. zeek:id:: dnp3_frozen_analog_input_event_32woTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 278 278
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 1
frozen analog input event 32 bit without time
.. zeek:id:: dnp3_frozen_analog_input_event_DPwTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 313 313
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 34 and variation number 8
frozen analog input event double-precision float point with time
.. zeek:id:: dnp3_frozen_analog_input_event_DPwoTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 303 303
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 6
frozen analog input event double-precision float point without time
.. zeek:id:: dnp3_frozen_analog_input_event_SPwTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 308 308
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 7
frozen analog input event single-precision float point with time
.. zeek:id:: dnp3_frozen_analog_input_event_SPwoTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 298 298
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 33 and variation number 5
frozen analog input event single-precision float point without time
.. zeek:id:: dnp3_frozen_counter_16wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 143 143
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 2
frozen counter 16 bit with flag
.. zeek:id:: dnp3_frozen_counter_16wFlagTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 153 153
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 6
frozen counter 16 bit with flag and time
.. zeek:id:: dnp3_frozen_counter_16woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 163 163
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 10
frozen counter 16 bit without flag
.. zeek:id:: dnp3_frozen_counter_32wFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 138 138
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 1
frozen counter 32 bit with flag
.. zeek:id:: dnp3_frozen_counter_32wFlagTime
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 148 148
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`, time48: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 5
frozen counter 32 bit with flag and time
.. zeek:id:: dnp3_frozen_counter_32woFlag
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 158 158
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
Generated for DNP3 objects with the group number 21 and variation number 9
frozen counter 32 bit without flag
.. zeek:id:: dnp3_header_block
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 82 82
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, len: :zeek:type:`count`, ctrl: :zeek:type:`count`, dest_addr: :zeek:type:`count`, src_addr: :zeek:type:`count`)
Generated for an additional header that the DNP3 analyzer passes to the
script-level. This header mimics the DNP3 transport-layer yet is only passed
once for each sequence of DNP3 records (which are otherwise reassembled and
treated as a single entity).
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param len: the "length" field in the DNP3 Pseudo Link Layer.
:param ctrl: the "control" field in the DNP3 Pseudo Link Layer.
:param dest_addr: the "destination" field in the DNP3 Pseudo Link Layer.
:param src_addr: the "source" field in the DNP3 Pseudo Link Layer.
.. zeek:id:: dnp3_object_header
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 50 50
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, obj_type: :zeek:type:`count`, qua_field: :zeek:type:`count`, number: :zeek:type:`count`, rf_low: :zeek:type:`count`, rf_high: :zeek:type:`count`)
Generated for the object header found in both DNP3 requests and responses.
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param obj_type: type of object, which is classified based on an 8-bit group number
and an 8-bit variation number.
:param qua_field: qualifier field.
:param number: TODO.
:param rf_low: the structure of the range field depends on the qualified field.
In some cases, the range field contains only one logic part, e.g.,
number of objects, so only *rf_low* contains useful values.
:param rf_high: in some cases, the range field contains two logic parts, e.g., start
index and stop index, so *rf_low* contains the start index
while *rf_high* contains the stop index.
.. zeek:id:: dnp3_object_prefix
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 62 62
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix_value: :zeek:type:`count`)
Generated for the prefix before a DNP3 object. The structure and the meaning
of the prefix are defined by the qualifier field.
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param prefix_value: The prefix.
.. zeek:id:: dnp3_pcb
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 113 113
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, control_code: :zeek:type:`count`, count8: :zeek:type:`count`, on_time: :zeek:type:`count`, off_time: :zeek:type:`count`, status_code: :zeek:type:`count`)
Generated for DNP3 objects with the group number 12 and variation number 2
:param PCB: Pattern Control Block
.. zeek:id:: dnp3_response_data_object
:source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 99 99
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data_value: :zeek:type:`count`)
Generated for a DNP3 "Response_Data_Object".
The "Response_Data_Object" contains two parts: object prefix and object
data. In most cases, object data are defined by new record types. But
in a few cases, object data are directly basic types, such as int16_t, or
int8_t; thus we use an additional *data_value* to record the values of those
object data.
:param c: The connection the DNP3 communication is part of.
:param is_orig: True if this reflects originator-side activity.
:param data_value: The value for those objects that carry their information here
directly.

1206
doc/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek.rst Normal file
View file

File diff suppressed because it is too large Load diff

87
doc/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,87 @@
:tocdepth: 3
base/bif/plugins/Zeek_FTP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================== ==============================================================
:zeek:id:`ftp_reply`: :zeek:type:`event` Generated for server-side FTP replies.
:zeek:id:`ftp_request`: :zeek:type:`event` Generated for client-side FTP commands.
:zeek:id:`ftp_starttls`: :zeek:type:`event` Generated if an FTP connection switched to TLS using AUTH TLS.
=========================================== ==============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: ftp_reply
:source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 38 38
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`count`, msg: :zeek:type:`string`, cont_resp: :zeek:type:`bool`)
Generated for server-side FTP replies.
See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
more information about the FTP protocol.
:param c: The connection.
:param code: The numerical response code the server responded with.
:param msg: The textual message of the response.
:param cont_resp: True if the reply line is tagged as being continued to the next
line. If so, further events will be raised and a handler may want
to reassemble the pieces before processing the response any
further.
.. zeek:see:: ftp_request fmt_ftp_port parse_eftp_port
parse_ftp_epsv parse_ftp_pasv parse_ftp_port
.. zeek:id:: ftp_request
:source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, command: :zeek:type:`string`, arg: :zeek:type:`string`)
Generated for client-side FTP commands.
See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
more information about the FTP protocol.
:param c: The connection.
:param command: The FTP command issued by the client (without any arguments).
:param arg: The arguments going with the command.
.. zeek:see:: ftp_reply fmt_ftp_port parse_eftp_port
parse_ftp_epsv parse_ftp_pasv parse_ftp_port
.. zeek:id:: ftp_starttls
:source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 46 46
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated if an FTP connection switched to TLS using AUTH TLS. After this
event no more FTP events will be raised for the connection. See the SSL
analyzer for related SSL events, which will now be generated.
:param c: The connection.

115
doc/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,115 @@
:tocdepth: 3
base/bif/plugins/Zeek_FTP.functions.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
================================================= ==========================================================================
:zeek:id:`fmt_ftp_port`: :zeek:type:`function` Formats an IP address and TCP port as an FTP PORT command.
:zeek:id:`parse_eftp_port`: :zeek:type:`function` Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
to an :zeek:type:`ftp_port`.
:zeek:id:`parse_ftp_epsv`: :zeek:type:`function` Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
:zeek:type:`ftp_port`.
:zeek:id:`parse_ftp_pasv`: :zeek:type:`function` Converts the result of the FTP PASV command to an :zeek:type:`ftp_port`.
:zeek:id:`parse_ftp_port`: :zeek:type:`function` Converts a string representation of the FTP PORT command to an
:zeek:type:`ftp_port`.
================================================= ==========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: fmt_ftp_port
:source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 65 65
:Type: :zeek:type:`function` (a: :zeek:type:`addr`, p: :zeek:type:`port`) : :zeek:type:`string`
Formats an IP address and TCP port as an FTP PORT command. For example,
``10.0.0.1`` and ``1055/tcp`` yields ``"10,0,0,1,4,31"``.
:param a: The IP address.
:param p: The TCP port.
:returns: The FTP PORT string.
.. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv
.. zeek:id:: parse_eftp_port
:source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 30 30
:Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`ftp_port`
Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
to an :zeek:type:`ftp_port`. The format is
``"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"``,
where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
:param s: The string of the FTP EPRT command, e.g., ``"|1|10.0.0.1|1055|"``.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. zeek:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
.. zeek:id:: parse_ftp_epsv
:source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 52 52
:Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`ftp_port`
Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
:zeek:type:`ftp_port`. The format is ``"<text> (<d><d><d><tcp-port><d>)"``,
where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
:param str: The string containing the result of the FTP EPSV command.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port
.. zeek:id:: parse_ftp_pasv
:source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 40 40
:Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`ftp_port`
Converts the result of the FTP PASV command to an :zeek:type:`ftp_port`.
:param str: The string containing the result of the FTP PASV command.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port
.. zeek:id:: parse_ftp_port
:source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 17 17
:Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`ftp_port`
Converts a string representation of the FTP PORT command to an
:zeek:type:`ftp_port`.
:param s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``.
:returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
.. zeek:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port

45
doc/scripts/base/bif/plugins/Zeek_File.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,45 @@
:tocdepth: 3
base/bif/plugins/Zeek_File.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ========================================================================
:zeek:id:`file_transferred`: :zeek:type:`event` Generated when a TCP connection associated w/ file data transfer is seen
(e.g.
=============================================== ========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: file_transferred
:source-code: base/protocols/ftp/main.zeek 450 458
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, prefix: :zeek:type:`string`, descr: :zeek:type:`string`, mime_type: :zeek:type:`string`)
Generated when a TCP connection associated w/ file data transfer is seen
(e.g. as happens w/ FTP or IRC).
:param c: The connection over which file data is transferred.
:param prefix: Up to 1024 bytes of the file data.
:param descr: Deprecated/unused argument.
:param mime_type: MIME type of the file or "<unknown>" if no file magic signatures
matched.

39
doc/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,39 @@
:tocdepth: 3
base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
=================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================== ========================================================
:zeek:id:`file_entropy`: :zeek:type:`event` This event is generated each time file analysis performs
entropy testing on a file.
=========================================== ========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: file_entropy
:source-code: policy/frameworks/files/entropy-test-all-files.zeek 16 19
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ent: :zeek:type:`entropy_test_result`)
This event is generated each time file analysis performs
entropy testing on a file.
:param f: The file.
:param ent: The results of the entropy testing.

51
doc/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,51 @@
:tocdepth: 3
base/bif/plugins/Zeek_FileExtract.events.bif.zeek
=================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================== ================================================================
:zeek:id:`file_extraction_limit`: :zeek:type:`event` This event is generated when a file extraction analyzer is about
to exceed the maximum permitted file size allowed by the
*extract_limit* field of :zeek:see:`Files::AnalyzerArgs`.
==================================================== ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: file_extraction_limit
:source-code: base/files/extract/main.zeek 89 93
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, args: :zeek:type:`Files::AnalyzerArgs`, limit: :zeek:type:`count`, len: :zeek:type:`count`)
This event is generated when a file extraction analyzer is about
to exceed the maximum permitted file size allowed by the
*extract_limit* field of :zeek:see:`Files::AnalyzerArgs`.
The analyzer is automatically removed from file *f*.
:param f: The file.
:param args: Arguments that identify a particular file extraction analyzer.
This is only provided to be able to pass along to
:zeek:see:`FileExtract::set_limit`.
:param limit: The limit, in bytes, the extracted file is about to breach.
:param len: The length of the file chunk about to be written.
.. zeek:see:: Files::add_analyzer Files::ANALYZER_EXTRACT

32
doc/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,32 @@
:tocdepth: 3
base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
====================================================
.. zeek:namespace:: FileExtract
.. zeek:namespace:: GLOBAL
Internal functions used by the extraction file analyzer.
:Namespaces: FileExtract, GLOBAL
Summary
~~~~~~~
Functions
#########
========================================================== ===================================
:zeek:id:`FileExtract::__set_limit`: :zeek:type:`function` :zeek:see:`FileExtract::set_limit`.
========================================================== ===================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: FileExtract::__set_limit
:source-code: base/bif/plugins/Zeek_FileExtract.functions.bif.zeek 12 12
:Type: :zeek:type:`function` (file_id: :zeek:type:`string`, args: :zeek:type:`any`, n: :zeek:type:`count`) : :zeek:type:`bool`
:zeek:see:`FileExtract::set_limit`.

44
doc/scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,44 @@
:tocdepth: 3
base/bif/plugins/Zeek_FileHash.events.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================== =========================================================================
:zeek:id:`file_hash`: :zeek:type:`event` This event is generated each time file analysis generates a digest of the
file contents.
======================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: file_hash
:source-code: base/bif/plugins/Zeek_FileHash.events.bif.zeek 15 15
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, kind: :zeek:type:`string`, hash: :zeek:type:`string`)
This event is generated each time file analysis generates a digest of the
file contents.
:param f: The file.
:param kind: The type of digest algorithm.
:param hash: The result of the hashing.
.. zeek:see:: Files::add_analyzer Files::ANALYZER_MD5
Files::ANALYZER_SHA1 Files::ANALYZER_SHA256

37
doc/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,37 @@
:tocdepth: 3
base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================ =========================================
:zeek:id:`gssapi_neg_result`: :zeek:type:`event` Generated for GSSAPI negotiation results.
================================================ =========================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: gssapi_neg_result
:source-code: base/bif/plugins/Zeek_GSSAPI.events.bif.zeek 10 10
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, state: :zeek:type:`count`)
Generated for GSSAPI negotiation results.
:param c: The connection.
:param state: The resulting state of the negotiation.

173
doc/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,173 @@
:tocdepth: 3
base/bif/plugins/Zeek_GTPv1.events.bif.zeek
===========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================ ===================================================================
:zeek:id:`gtpv1_create_pdp_ctx_request`: :zeek:type:`event` Generated for GTPv1-C Create PDP Context Request messages.
:zeek:id:`gtpv1_create_pdp_ctx_response`: :zeek:type:`event` Generated for GTPv1-C Create PDP Context Response messages.
:zeek:id:`gtpv1_delete_pdp_ctx_request`: :zeek:type:`event` Generated for GTPv1-C Delete PDP Context Request messages.
:zeek:id:`gtpv1_delete_pdp_ctx_response`: :zeek:type:`event` Generated for GTPv1-C Delete PDP Context Response messages.
:zeek:id:`gtpv1_g_pdu_packet`: :zeek:type:`event` Generated for GTPv1 G-PDU packets.
:zeek:id:`gtpv1_message`: :zeek:type:`event` Generated for any GTP message with a GTPv1 header.
:zeek:id:`gtpv1_update_pdp_ctx_request`: :zeek:type:`event` Generated for GTPv1-C Update PDP Context Request messages.
:zeek:id:`gtpv1_update_pdp_ctx_response`: :zeek:type:`event` Generated for GTPv1-C Update PDP Context Response messages.
:zeek:id:`new_gtpv1_state`: :zeek:type:`event` Generated when a new GTP analyzer is instantiated for a connection.
============================================================ ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: gtpv1_create_pdp_ctx_request
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 45 45
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_create_pdp_ctx_request_elements`)
Generated for GTPv1-C Create PDP Context Request messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: gtpv1_create_pdp_ctx_response
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 55 55
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_create_pdp_ctx_response_elements`)
Generated for GTPv1-C Create PDP Context Response messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: gtpv1_delete_pdp_ctx_request
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 85 85
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_delete_pdp_ctx_request_elements`)
Generated for GTPv1-C Delete PDP Context Request messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: gtpv1_delete_pdp_ctx_response
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 95 95
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_delete_pdp_ctx_response_elements`)
Generated for GTPv1-C Delete PDP Context Response messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: gtpv1_g_pdu_packet
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 35 35
:Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner_gtp: :zeek:type:`gtpv1_hdr`, inner_ip: :zeek:type:`pkt_hdr`)
Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload
that includes a GTP header followed by an IPv4 or IPv6 packet.
:param outer: The GTP outer tunnel connection.
:param inner_gtp: The GTP header.
:param inner_ip: The inner IP and transport layer packet headers.
.. note:: Since this event may be raised on a per-packet basis, handling
it may become particularly expensive for real-time analysis.
.. zeek:id:: gtpv1_message
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 21 21
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`)
Generated for any GTP message with a GTPv1 header.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
.. zeek:id:: gtpv1_update_pdp_ctx_request
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 65 65
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_update_pdp_ctx_request_elements`)
Generated for GTPv1-C Update PDP Context Request messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: gtpv1_update_pdp_ctx_response
:source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 75 75
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_update_pdp_ctx_response_elements`)
Generated for GTPv1-C Update PDP Context Response messages.
:param c: The connection over which the message is sent.
:param hdr: The GTPv1 header.
:param elements: The set of Information Elements comprising the message.
.. zeek:id:: new_gtpv1_state
:source-code: base/packet-protocols/gtpv1/main.zeek 35 38
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated when a new GTP analyzer is instantiated for a connection.
This event exists to install a connection removal hook to clear
internal per-connection GTPv1 state.
:param c: The connection for which the analyzer is instantiated.

30
doc/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,30 @@
:tocdepth: 3
base/bif/plugins/Zeek_GTPv1.functions.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: PacketAnalyzer::GTPV1
:Namespaces: GLOBAL, PacketAnalyzer::GTPV1
Summary
~~~~~~~
Functions
#########
================================================================================ =
:zeek:id:`PacketAnalyzer::GTPV1::remove_gtpv1_connection`: :zeek:type:`function`
================================================================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: PacketAnalyzer::GTPV1::remove_gtpv1_connection
:source-code: base/bif/plugins/Zeek_GTPv1.functions.bif.zeek 9 9
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`bool`

43
doc/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/bif/plugins/Zeek_Geneve.events.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================ =========================================================
:zeek:id:`geneve_packet`: :zeek:type:`event` Generated for any packet encapsulated in a Geneve tunnel.
============================================ =========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: geneve_packet
:source-code: base/bif/plugins/Zeek_Geneve.events.bif.zeek 15 15
:Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`pkt_hdr`, vni: :zeek:type:`count`)
Generated for any packet encapsulated in a Geneve tunnel.
See :rfc:`8926` for more information about the Geneve protocol.
:param outer: The Geneve tunnel connection.
:param inner: The Geneve-encapsulated Ethernet packet header and transport header.
:param vni: Geneve Network Identifier.
.. note:: Since this event may be raised on a per-packet basis, handling
it may become particularly expensive for real-time analysis.

36
doc/scripts/base/bif/plugins/Zeek_Geneve.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,36 @@
:tocdepth: 3
base/bif/plugins/Zeek_Geneve.functions.bif.zeek
===============================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: PacketAnalyzer::Geneve
:Namespaces: GLOBAL, PacketAnalyzer::Geneve
Summary
~~~~~~~
Functions
#########
===================================================================== =================================================================
:zeek:id:`PacketAnalyzer::Geneve::get_options`: :zeek:type:`function` Returns all Geneve options from all layers of the current packet.
===================================================================== =================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: PacketAnalyzer::Geneve::get_options
:source-code: base/bif/plugins/Zeek_Geneve.functions.bif.zeek 15 15
:Type: :zeek:type:`function` () : :zeek:type:`geneve_options_vec_vec`
Returns all Geneve options from all layers of the current packet.
The last entry in the outer vector are the options of the most
inner Geneve header.
Returns a vector of vector of :zeek:see:`PacketAnalyzer::Geneve::Option` records.

137
doc/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,137 @@
:tocdepth: 3
base/bif/plugins/Zeek_Gnutella.events.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================== =====
:zeek:id:`gnutella_binary_msg`: :zeek:type:`event` TODO.
:zeek:id:`gnutella_establish`: :zeek:type:`event` TODO.
:zeek:id:`gnutella_http_notify`: :zeek:type:`event` TODO.
:zeek:id:`gnutella_not_establish`: :zeek:type:`event` TODO.
:zeek:id:`gnutella_partial_binary_msg`: :zeek:type:`event` TODO.
:zeek:id:`gnutella_text_msg`: :zeek:type:`event` TODO.
========================================================== =====
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: gnutella_binary_msg
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 32 32
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, msg_type: :zeek:type:`count`, ttl: :zeek:type:`count`, hops: :zeek:type:`count`, msg_len: :zeek:type:`count`, payload: :zeek:type:`string`, payload_len: :zeek:type:`count`, trunc: :zeek:type:`bool`, complete: :zeek:type:`bool`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
gnutella_partial_binary_msg gnutella_text_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: gnutella_establish
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 62 62
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish
gnutella_partial_binary_msg gnutella_text_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: gnutella_http_notify
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 92 92
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
gnutella_partial_binary_msg gnutella_text_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: gnutella_not_establish
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 77 77
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
gnutella_partial_binary_msg gnutella_text_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: gnutella_partial_binary_msg
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 47 47
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, msg: :zeek:type:`string`, len: :zeek:type:`count`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
gnutella_not_establish gnutella_text_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: gnutella_text_msg
:source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, headers: :zeek:type:`string`)
TODO.
See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
information about the Gnutella protocol.
.. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
gnutella_not_establish gnutella_partial_binary_msg
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

374
doc/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,374 @@
:tocdepth: 3
base/bif/plugins/Zeek_HTTP.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================== ========================================================================
:zeek:id:`http_all_headers`: :zeek:type:`event` Generated for HTTP headers, passing on all headers of an HTTP message at
once.
:zeek:id:`http_begin_entity`: :zeek:type:`event` Generated when starting to parse an HTTP body entity.
:zeek:id:`http_connection_upgrade`: :zeek:type:`event` Generated when a HTTP session is upgraded to a different protocol (e.g.
:zeek:id:`http_content_type`: :zeek:type:`event` Generated for reporting an HTTP body's content type.
:zeek:id:`http_end_entity`: :zeek:type:`event` Generated when finishing parsing an HTTP body entity.
:zeek:id:`http_entity_data`: :zeek:type:`event` Generated when parsing an HTTP body entity, passing on the data.
:zeek:id:`http_event`: :zeek:type:`event` Generated for errors found when decoding HTTP requests or replies.
:zeek:id:`http_header`: :zeek:type:`event` Generated for HTTP headers.
:zeek:id:`http_message_done`: :zeek:type:`event` Generated once at the end of parsing an HTTP message.
:zeek:id:`http_reply`: :zeek:type:`event` Generated for HTTP replies.
:zeek:id:`http_request`: :zeek:type:`event` Generated for HTTP requests.
:zeek:id:`http_stats`: :zeek:type:`event` Generated at the end of an HTTP session to report statistics about it.
====================================================== ========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: http_all_headers
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 100 100
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, hlist: :zeek:type:`mime_header_list`)
Generated for HTTP headers, passing on all headers of an HTTP message at
once. Zeek supports persistent and pipelined HTTP sessions and raises
corresponding events as it parses client/server dialogues.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the header was sent by the originator of the TCP connection.
:param hlist: A *table* containing all headers extracted from the current entity.
The table is indexed by the position of the header (1 for the first,
2 for the second, etc.).
.. zeek:see:: http_begin_entity http_content_type http_end_entity http_entity_data
http_event http_header http_message_done http_reply http_request http_stats
http_connection_upgrade
.. note:: This event is also raised for headers found in nested body
entities.
.. zeek:id:: http_begin_entity
:source-code: base/protocols/http/entities.zeek 73 83
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
Generated when starting to parse an HTTP body entity. This event is generated
at least once for each non-empty (client or server) HTTP body; and
potentially more than once if the body contains further nested MIME
entities. Zeek raises this event just before it starts parsing each entity's
content.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the entity was sent by the originator of the TCP
connection.
.. zeek:see:: http_all_headers http_content_type http_end_entity http_entity_data
http_event http_header http_message_done http_reply http_request http_stats
mime_begin_entity http_connection_upgrade
.. zeek:id:: http_connection_upgrade
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 267 267
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, protocol: :zeek:type:`string`)
Generated when a HTTP session is upgraded to a different protocol (e.g. websocket).
This event is raised when a server replies with a HTTP 101 reply. No more HTTP events
will be raised after this event.
:param c: The connection.
:param protocol: The protocol to which the connection is switching.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_reply
http_request
.. zeek:id:: http_content_type
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 196 196
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, ty: :zeek:type:`string`, subty: :zeek:type:`string`)
Generated for reporting an HTTP body's content type. This event is
generated at the end of parsing an HTTP header, passing on the MIME
type as specified by the ``Content-Type`` header. If that header is
missing, this event is still raised with a default value of ``text/plain``.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the entity was sent by the originator of the TCP
connection.
:param ty: The main type.
:param subty: The subtype.
.. zeek:see:: http_all_headers http_begin_entity http_end_entity http_entity_data
http_event http_header http_message_done http_reply http_request http_stats
http_connection_upgrade
.. note:: This event is also raised for headers found in nested body
entities.
.. zeek:id:: http_end_entity
:source-code: base/protocols/http/entities.zeek 214 218
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
Generated when finishing parsing an HTTP body entity. This event is generated
at least once for each non-empty (client or server) HTTP body; and
potentially more than once if the body contains further nested MIME
entities. Zeek raises this event at the point when it has finished parsing an
entity's content.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the entity was sent by the originator of the TCP
connection.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_entity_data
http_event http_header http_message_done http_reply http_request
http_stats mime_end_entity http_connection_upgrade
.. zeek:id:: http_entity_data
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 170 170
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, length: :zeek:type:`count`, data: :zeek:type:`string`)
Generated when parsing an HTTP body entity, passing on the data. This event
can potentially be raised many times for each entity, each time passing a
chunk of the data of not further defined size.
A common idiom for using this event is to first *reassemble* the data
at the scripting layer by concatenating it to a successively growing
string; and only perform further content analysis once the corresponding
:zeek:id:`http_end_entity` event has been raised. Note, however, that doing so
can be quite expensive for HTTP tranders. At the very least, one should
impose an upper size limit on how much data is being buffered.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the entity was sent by the originator of the TCP
connection.
:param length: The length of *data*.
:param data: One chunk of raw entity data.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_event http_header http_message_done http_reply http_request http_stats
mime_entity_data http_entity_data_delivery_size skip_http_data
http_connection_upgrade
.. zeek:id:: http_event
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 238 238
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, event_type: :zeek:type:`string`, detail: :zeek:type:`string`)
Generated for errors found when decoding HTTP requests or replies.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param event_type: A string describing the general category of the problem found
(e.g., ``illegal format``).
:param detail: Further more detailed description of the error.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_header http_message_done http_reply http_request
http_stats mime_event http_connection_upgrade
.. zeek:id:: http_header
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 74 74
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, original_name: :zeek:type:`string`, name: :zeek:type:`string`, value: :zeek:type:`string`)
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, value: :zeek:type:`string`)
Generated for HTTP headers. Zeek supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the header was sent by the originator of the TCP connection.
:param original_name: The name of the header (unaltered).
:param name: The name of the header (converted to all uppercase).
:param value: The value of the header.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_message_done http_reply http_request
http_stats http_connection_upgrade
.. note:: This event is also raised for headers found in nested body
entities.
.. zeek:id:: http_message_done
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 220 220
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, stat: :zeek:type:`http_message_stat`)
Generated once at the end of parsing an HTTP message. Zeek supports persistent
and pipelined HTTP sessions and raises corresponding events as it parses
client/server dialogues. A "message" is one top-level HTTP entity, such as a
complete request or reply. Each message can have further nested sub-entities
inside. This event is raised once all sub-entities belonging to a top-level
message have been processed (and their corresponding ``http_entity_*`` events
generated).
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param is_orig: True if the entity was sent by the originator of the TCP
connection.
:param stat: Further meta information about the message.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_reply http_request http_stats
http_connection_upgrade
.. zeek:id:: http_reply
:source-code: base/protocols/http/main.zeek 274 313
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
Generated for HTTP replies. Zeek supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues. This event is generated as soon as a reply's initial line has
been parsed, and before any :zeek:id:`http_header` events are raised.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param version: The version number specified in the reply (e.g., ``1.1``).
:param code: The numerical response code returned by the server.
:param reason: The textual description returned by the server along with *code*.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_request
http_stats http_connection_upgrade
.. zeek:id:: http_request
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 26 26
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, method: :zeek:type:`string`, original_URI: :zeek:type:`string`, unescaped_URI: :zeek:type:`string`, version: :zeek:type:`string`)
Generated for HTTP requests. Zeek supports persistent and pipelined HTTP
sessions and raises corresponding events as it parses client/server
dialogues. This event is generated as soon as a request's initial line has
been parsed, and before any :zeek:id:`http_header` events are raised.
See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
for more information about the HTTP protocol.
:param c: The connection.
:param method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``).
:param original_URI: The unprocessed URI as specified in the request.
:param unescaped_URI: The URI with all percent-encodings decoded.
:param version: The version number specified in the request (e.g., ``1.1``).
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_reply http_stats
truncate_http_URI http_connection_upgrade
.. zeek:id:: http_stats
:source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 253 253
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, stats: :zeek:type:`http_stats_rec`)
Generated at the end of an HTTP session to report statistics about it. This
event is raised after all of an HTTP session's requests and replies have been
fully processed.
:param c: The connection.
:param stats: Statistics summarizing HTTP-level properties of the finished
connection.
.. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
http_entity_data http_event http_header http_message_done http_reply
http_request http_connection_upgrade

60
doc/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,60 @@
:tocdepth: 3
base/bif/plugins/Zeek_HTTP.functions.bif.zeek
=============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
======================================================= ===============================================================
:zeek:id:`skip_http_entity_data`: :zeek:type:`function` Skips the data of the HTTP entity.
:zeek:id:`unescape_URI`: :zeek:type:`function` Unescapes all characters in a URI (decode every ``%xx`` group).
======================================================= ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: skip_http_entity_data
:source-code: base/bif/plugins/Zeek_HTTP.functions.bif.zeek 14 14
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`any`
Skips the data of the HTTP entity.
:param c: The HTTP connection.
:param is_orig: If true, the client data is skipped, and the server data otherwise.
.. zeek:see:: skip_smtp_data
.. zeek:id:: unescape_URI
:source-code: base/bif/plugins/Zeek_HTTP.functions.bif.zeek 30 30
:Type: :zeek:type:`function` (URI: :zeek:type:`string`) : :zeek:type:`string`
Unescapes all characters in a URI (decode every ``%xx`` group).
:param URI: The URI to unescape.
:returns: The unescaped URI with all ``%xx`` groups decoded.
.. note::
Unescaping reserved characters may cause loss of information.
:rfc:`2396`: A URI is always in an "escaped" form, since escaping or
unescaping a completed URI might change its semantics. Normally, the
only time escape encodings can safely be made is when the URI is
being created from its component parts.

529
doc/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,529 @@
:tocdepth: 3
base/bif/plugins/Zeek_ICMP.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================== =====================================================================
:zeek:id:`icmp_echo_reply`: :zeek:type:`event` Generated for ICMP *echo reply* messages.
:zeek:id:`icmp_echo_request`: :zeek:type:`event` Generated for ICMP *echo request* messages.
:zeek:id:`icmp_error_message`: :zeek:type:`event` Generated for all ICMPv6 error messages that are not handled
separately with dedicated events.
:zeek:id:`icmp_neighbor_advertisement`: :zeek:type:`event` Generated for ICMP *neighbor advertisement* messages.
:zeek:id:`icmp_neighbor_solicitation`: :zeek:type:`event` Generated for ICMP *neighbor solicitation* messages.
:zeek:id:`icmp_packet_too_big`: :zeek:type:`event` Generated for ICMPv6 *packet too big* messages.
:zeek:id:`icmp_parameter_problem`: :zeek:type:`event` Generated for ICMPv6 *parameter problem* messages.
:zeek:id:`icmp_redirect`: :zeek:type:`event` Generated for ICMP *redirect* messages.
:zeek:id:`icmp_router_advertisement`: :zeek:type:`event` Generated for ICMP *router advertisement* messages.
:zeek:id:`icmp_router_solicitation`: :zeek:type:`event` Generated for ICMP *router solicitation* messages.
:zeek:id:`icmp_sent`: :zeek:type:`event` Generated for all ICMP messages that are not handled separately with
dedicated ICMP events.
:zeek:id:`icmp_sent_payload`: :zeek:type:`event` The same as :zeek:see:`icmp_sent` except containing the ICMP payload.
:zeek:id:`icmp_time_exceeded`: :zeek:type:`event` Generated for ICMP *time exceeded* messages.
:zeek:id:`icmp_unreachable`: :zeek:type:`event` Generated for ICMP *destination unreachable* messages.
========================================================== =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: icmp_echo_reply
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 88 88
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, id: :zeek:type:`count`, seq: :zeek:type:`count`, payload: :zeek:type:`string`)
Generated for ICMP *echo reply* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param id: The *echo reply* identifier.
:param seq: The *echo reply* sequence number.
:param payload: The message-specific data of the packet payload, i.e., everything
after the first 8 bytes of the ICMP header.
.. zeek:see:: icmp_echo_request
.. zeek:id:: icmp_echo_request
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 63 63
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, id: :zeek:type:`count`, seq: :zeek:type:`count`, payload: :zeek:type:`string`)
Generated for ICMP *echo request* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param info: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param id: The *echo request* identifier.
:param seq: The *echo request* sequence number.
:param payload: The message-specific data of the packet payload, i.e., everything
after the first 8 bytes of the ICMP header.
.. zeek:see:: icmp_echo_reply
.. zeek:id:: icmp_error_message
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 115 115
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
Generated for all ICMPv6 error messages that are not handled
separately with dedicated events. Zeek's ICMP analyzer handles a number
of ICMP error messages directly with dedicated events. This event acts
as a fallback for those it doesn't.
See `Wikipedia
<http://en.wikipedia.org/wiki/ICMPv6>`__ for more
information about the ICMPv6 protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param info: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param code: The ICMP code of the error message.
:param context: A record with specifics of the original packet that the message
refers to.
.. zeek:see:: icmp_unreachable icmp_packet_too_big
icmp_time_exceeded icmp_parameter_problem
.. zeek:id:: icmp_neighbor_advertisement
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 343 343
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, router: :zeek:type:`bool`, solicited: :zeek:type:`bool`, override: :zeek:type:`bool`, tgt: :zeek:type:`addr`, options: :zeek:type:`icmp6_nd_options`)
Generated for ICMP *neighbor advertisement* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param router: Flag indicating the sender is a router.
:param solicited: Flag indicating advertisement is in response to a solicitation.
:param override: Flag indicating advertisement should override existing caches.
:param tgt: the Target Address in the soliciting message or the address whose
link-layer address has changed for unsolicited adverts.
:param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. zeek:see:: icmp_router_solicitation icmp_router_advertisement
icmp_neighbor_solicitation icmp_redirect
.. zeek:id:: icmp_neighbor_solicitation
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 313 313
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, tgt: :zeek:type:`addr`, options: :zeek:type:`icmp6_nd_options`)
Generated for ICMP *neighbor solicitation* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param tgt: The IP address of the target of the solicitation.
:param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. zeek:see:: icmp_router_solicitation icmp_router_advertisement
icmp_neighbor_advertisement icmp_redirect
.. zeek:id:: icmp_packet_too_big
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 171 171
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
Generated for ICMPv6 *packet too big* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/ICMPv6>`__ for more
information about the ICMPv6 protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param code: The ICMP code of the *too big* message.
:param context: A record with specifics of the original packet that the message
refers to. *Too big* messages should include the original IP header
from the packet that triggered them, and Zeek parses that into
the *context* structure. Note that if the *too big* includes only
a partial IP header for some reason, no fields of *context* will
be filled out.
.. zeek:see:: icmp_error_message icmp_unreachable
icmp_time_exceeded icmp_parameter_problem
.. zeek:id:: icmp_parameter_problem
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 227 227
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
Generated for ICMPv6 *parameter problem* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/ICMPv6>`__ for more
information about the ICMPv6 protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param code: The ICMP code of the *parameter problem* message.
:param context: A record with specifics of the original packet that the message
refers to. *Parameter problem* messages should include the original
IP header from the packet that triggered them, and Zeek parses that
into the *context* structure. Note that if the *parameter problem*
includes only a partial IP header for some reason, no fields
of *context* will be filled out.
.. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
icmp_time_exceeded
.. zeek:id:: icmp_redirect
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 369 369
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, tgt: :zeek:type:`addr`, dest: :zeek:type:`addr`, options: :zeek:type:`icmp6_nd_options`)
Generated for ICMP *redirect* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param tgt: The address that is supposed to be a better first hop to use for
ICMP Destination Address.
:param dest: The address of the destination which is redirected to the target.
:param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. zeek:see:: icmp_router_solicitation icmp_router_advertisement
icmp_neighbor_solicitation icmp_neighbor_advertisement
.. zeek:id:: icmp_router_advertisement
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 290 290
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, cur_hop_limit: :zeek:type:`count`, managed: :zeek:type:`bool`, other: :zeek:type:`bool`, home_agent: :zeek:type:`bool`, pref: :zeek:type:`count`, proxy: :zeek:type:`bool`, rsv: :zeek:type:`count`, router_lifetime: :zeek:type:`interval`, reachable_time: :zeek:type:`interval`, retrans_timer: :zeek:type:`interval`, options: :zeek:type:`icmp6_nd_options`)
Generated for ICMP *router advertisement* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param cur_hop_limit: The default value that should be placed in Hop Count field
for outgoing IP packets.
:param managed: Managed address configuration flag, :rfc:`4861`.
:param other: Other stateful configuration flag, :rfc:`4861`.
:param home_agent: Mobile IPv6 home agent flag, :rfc:`3775`.
:param pref: Router selection preferences, :rfc:`4191`.
:param proxy: Neighbor discovery proxy flag, :rfc:`4389`.
:param rsv: Remaining two reserved bits of router advertisement flags.
:param router_lifetime: How long this router should be used as a default router.
:param reachable_time: How long a neighbor should be considered reachable.
:param retrans_timer: How long a host should wait before retransmitting.
:param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. zeek:see:: icmp_router_solicitation
icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
.. zeek:id:: icmp_router_solicitation
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 248 248
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, options: :zeek:type:`icmp6_nd_options`)
Generated for ICMP *router solicitation* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
.. zeek:see:: icmp_router_advertisement
icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
.. zeek:id:: icmp_sent
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 22 22
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`)
Generated for all ICMP messages that are not handled separately with
dedicated ICMP events. Zeek's ICMP analyzer handles a number of ICMP messages
directly with dedicated events. This event acts as a fallback for those it
doesn't.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param info: Additional ICMP-specific information augmenting the standard
connection record *c*.
.. zeek:see:: icmp_error_message icmp_sent_payload
.. zeek:id:: icmp_sent_payload
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 38 38
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, payload: :zeek:type:`string`)
The same as :zeek:see:`icmp_sent` except containing the ICMP payload.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param info: Additional ICMP-specific information augmenting the standard
connection record *c*.
:param payload: The payload of the ICMP message.
.. zeek:see:: icmp_error_message icmp_sent_payload
.. zeek:id:: icmp_time_exceeded
:source-code: policy/misc/detect-traceroute/main.zeek 100 103
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
Generated for ICMP *time exceeded* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param code: The ICMP code of the *exceeded* message.
:param context: A record with specifics of the original packet that the message
refers to. *Unreachable* messages should include the original IP
header from the packet that triggered them, and Zeek parses that
into the *context* structure. Note that if the *exceeded* includes
only a partial IP header for some reason, no fields of *context*
will be filled out.
.. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
icmp_parameter_problem
.. zeek:id:: icmp_unreachable
:source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 143 143
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
Generated for ICMP *destination unreachable* messages.
See `Wikipedia
<http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
information about the ICMP protocol.
:param c: The connection record for the corresponding ICMP flow.
:param icmp: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param info: Additional ICMP-specific information augmenting the standard connection
record *c*.
:param code: The ICMP code of the *unreachable* message.
:param context: A record with specifics of the original packet that the message
refers to. *Unreachable* messages should include the original IP
header from the packet that triggered them, and Zeek parses that
into the *context* structure. Note that if the *unreachable*
includes only a partial IP header for some reason, no
fields of *context* will be filled out.
.. zeek:see:: icmp_error_message icmp_packet_too_big
icmp_time_exceeded icmp_parameter_problem

51
doc/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,51 @@
:tocdepth: 3
base/bif/plugins/Zeek_IMAP.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================ ==================================================================
:zeek:id:`imap_capabilities`: :zeek:type:`event` Generated when a server sends a capability list to the client,
after being queried using the CAPABILITY command.
:zeek:id:`imap_starttls`: :zeek:type:`event` Generated when a IMAP connection goes encrypted after a successful
StartTLS exchange between the client and the server.
================================================ ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: imap_capabilities
:source-code: base/bif/plugins/Zeek_IMAP.events.bif.zeek 10 10
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, capabilities: :zeek:type:`string_vec`)
Generated when a server sends a capability list to the client,
after being queried using the CAPABILITY command.
:param c: The connection.
:param capabilities: The list of IMAP capabilities as sent by the server.
.. zeek:id:: imap_starttls
:source-code: base/bif/plugins/Zeek_IMAP.events.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated when a IMAP connection goes encrypted after a successful
StartTLS exchange between the client and the server.
:param c: The connection.

1162
doc/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek.rst Normal file
View file

File diff suppressed because it is too large Load diff

112
doc/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,112 @@
:tocdepth: 3
base/bif/plugins/Zeek_Ident.events.bif.zeek
===========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================ ==================================
:zeek:id:`ident_error`: :zeek:type:`event` Generated for Ident error replies.
:zeek:id:`ident_reply`: :zeek:type:`event` Generated for Ident replies.
:zeek:id:`ident_request`: :zeek:type:`event` Generated for Ident requests.
============================================ ==================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: ident_error
:source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 67 67
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`, line: :zeek:type:`string`)
Generated for Ident error replies.
See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
information about the Ident protocol.
:param c: The connection.
:param lport: The corresponding request's local port.
:param rport: The corresponding request's remote port.
:param line: The error description returned by the reply.
.. zeek:see:: ident_reply ident_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: ident_reply
:source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 45 45
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`, user_id: :zeek:type:`string`, system: :zeek:type:`string`)
Generated for Ident replies.
See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
information about the Ident protocol.
:param c: The connection.
:param lport: The corresponding request's local port.
:param rport: The corresponding request's remote port.
:param user_id: The user id returned by the reply.
:param system: The operating system returned by the reply.
.. zeek:see:: ident_error ident_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: ident_request
:source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 21 21
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`)
Generated for Ident requests.
See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
information about the Ident protocol.
:param c: The connection.
:param lport: The request's local port.
:param rport: The request's remote port.
.. zeek:see:: ident_error ident_reply
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

15
doc/scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

260
doc/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,260 @@
:tocdepth: 3
base/bif/plugins/Zeek_KRB.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ==================================================================
:zeek:id:`krb_ap_request`: :zeek:type:`event` A Kerberos 5 ``Authentication Header (AP) Request`` as defined
in :rfc:`4120`.
:zeek:id:`krb_ap_response`: :zeek:type:`event` A Kerberos 5 ``Authentication Header (AP) Response`` as defined
in :rfc:`4120`.
:zeek:id:`krb_as_request`: :zeek:type:`event` A Kerberos 5 ``Authentication Server (AS) Request`` as defined
in :rfc:`4120`.
:zeek:id:`krb_as_response`: :zeek:type:`event` A Kerberos 5 ``Authentication Server (AS) Response`` as defined
in :rfc:`4120`.
:zeek:id:`krb_cred`: :zeek:type:`event` A Kerberos 5 ``Credential Message`` as defined in :rfc:`4120`.
:zeek:id:`krb_error`: :zeek:type:`event` A Kerberos 5 ``Error Message`` as defined in :rfc:`4120`.
:zeek:id:`krb_priv`: :zeek:type:`event` A Kerberos 5 ``Private Message`` as defined in :rfc:`4120`.
:zeek:id:`krb_safe`: :zeek:type:`event` A Kerberos 5 ``Safe Message`` as defined in :rfc:`4120`.
:zeek:id:`krb_tgs_request`: :zeek:type:`event` A Kerberos 5 ``Ticket Granting Service (TGS) Request`` as defined
in :rfc:`4120`.
:zeek:id:`krb_tgs_response`: :zeek:type:`event` A Kerberos 5 ``Ticket Granting Service (TGS) Response`` as defined
in :rfc:`4120`.
=============================================== ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: krb_ap_request
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 90 90
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, ticket: :zeek:type:`KRB::Ticket`, opts: :zeek:type:`KRB::AP_Options`)
A Kerberos 5 ``Authentication Header (AP) Request`` as defined
in :rfc:`4120`. This message contains authentication information
that should be part of the first message in an authenticated
transaction.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param ticket: The Kerberos ticket being used for authentication.
:param opts: A Kerberos AP options data structure.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. zeek:id:: krb_ap_response
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 106 106
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
A Kerberos 5 ``Authentication Header (AP) Response`` as defined
in :rfc:`4120`. This is used if mutual authentication is desired.
All of the interesting information in here is encrypted, so the event
doesn't have much useful data, but it's provided in case it's important
to know that this message was sent.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_priv krb_safe krb_cred krb_error
.. zeek:id:: krb_as_request
:source-code: base/protocols/krb/main.zeek 145 168
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Request`)
A Kerberos 5 ``Authentication Server (AS) Request`` as defined
in :rfc:`4120`. The AS request contains a username of the client
requesting authentication, and returns an AS reply with an
encrypted Ticket Granting Ticket (TGT) for that user. The TGT
can then be used to request further tickets for other services.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param msg: A Kerberos KDC request message data structure.
.. zeek:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. zeek:id:: krb_as_response
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 36 36
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Response`)
A Kerberos 5 ``Authentication Server (AS) Response`` as defined
in :rfc:`4120`. Following the AS request for a user, an AS reply
contains an encrypted Ticket Granting Ticket (TGT) for that user.
The TGT can then be used to request further tickets for other services.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param msg: A Kerberos KDC reply message data structure.
.. zeek:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. zeek:id:: krb_cred
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 157 157
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, tickets: :zeek:type:`KRB::Ticket_Vector`)
A Kerberos 5 ``Credential Message`` as defined in :rfc:`4120`. This is
a private (encrypted) message to forward credentials.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param is_orig: Whether the originator of the connection sent this message.
:param tickets: Tickets obtained from the KDC that are being forwarded.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_priv krb_safe krb_error
.. zeek:id:: krb_error
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 171 171
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::Error_Msg`)
A Kerberos 5 ``Error Message`` as defined in :rfc:`4120`.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param msg: A Kerberos error message data structure.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_priv krb_safe krb_cred
.. zeek:id:: krb_priv
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 123 123
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
A Kerberos 5 ``Private Message`` as defined in :rfc:`4120`. This
is a private (encrypted) application message, so the event doesn't
have much useful data, but it's provided in case it's important to
know that this message was sent.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param is_orig: Whether the originator of the connection sent this message.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_safe krb_cred krb_error
.. zeek:id:: krb_safe
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 140 140
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`KRB::SAFE_Msg`)
A Kerberos 5 ``Safe Message`` as defined in :rfc:`4120`. This is a
safe (checksummed) application message.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param is_orig: Whether the originator of the connection sent this message.
:param msg: A Kerberos SAFE message data structure.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
krb_ap_request krb_ap_response krb_priv krb_cred krb_error
.. zeek:id:: krb_tgs_request
:source-code: base/protocols/krb/main.zeek 196 214
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Request`)
A Kerberos 5 ``Ticket Granting Service (TGS) Request`` as defined
in :rfc:`4120`. Following the Authentication Server exchange, if
successful, the client now has a Ticket Granting Ticket (TGT). To
authenticate to a Kerberized service, the client requests a Service
Ticket, which will be returned in the TGS reply.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param msg: A Kerberos KDC request message data structure.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error
.. zeek:id:: krb_tgs_response
:source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 71 71
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Response`)
A Kerberos 5 ``Ticket Granting Service (TGS) Response`` as defined
in :rfc:`4120`. This message returns a Service Ticket to the client,
which is encrypted with the service's long-term key, and which the
client can use to authenticate to that service.
See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
more information about the Kerberos protocol.
:param c: The connection over which this Kerberos message was sent.
:param msg: A Kerberos KDC reply message data structure.
.. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request
krb_ap_response krb_priv krb_safe krb_cred krb_error

16
doc/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_KRB.types.bif.zeek
========================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: KRB
:Namespaces: GLOBAL, KRB
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

565
doc/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,565 @@
:tocdepth: 3
base/bif/plugins/Zeek_Login.events.bif.zeek
===========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================== =========================================================================
:zeek:id:`activating_encryption`: :zeek:type:`event` Generated for Telnet sessions when encryption is activated.
:zeek:id:`authentication_accepted`: :zeek:type:`event` Generated when a Telnet authentication has been successful.
:zeek:id:`authentication_rejected`: :zeek:type:`event` Generated when a Telnet authentication has been unsuccessful.
:zeek:id:`authentication_skipped`: :zeek:type:`event` Generated for Telnet/Rlogin sessions when a pattern match indicates
that no authentication is performed.
:zeek:id:`bad_option`: :zeek:type:`event` Generated for an ill-formed or unrecognized Telnet option.
:zeek:id:`bad_option_termination`: :zeek:type:`event` Generated for a Telnet option that's incorrectly terminated.
:zeek:id:`inconsistent_option`: :zeek:type:`event` Generated for an inconsistent Telnet option.
:zeek:id:`login_confused`: :zeek:type:`event` Generated when tracking of Telnet/Rlogin authentication failed.
:zeek:id:`login_confused_text`: :zeek:type:`event` Generated after getting confused while tracking a Telnet/Rlogin
authentication dialog.
:zeek:id:`login_display`: :zeek:type:`event` Generated for clients transmitting an X11 DISPLAY in a Telnet session.
:zeek:id:`login_failure`: :zeek:type:`event` Generated for Telnet/Rlogin login failures.
:zeek:id:`login_input_line`: :zeek:type:`event` Generated for lines of input on Telnet/Rlogin sessions.
:zeek:id:`login_output_line`: :zeek:type:`event` Generated for lines of output on Telnet/Rlogin sessions.
:zeek:id:`login_prompt`: :zeek:type:`event` Generated for clients transmitting a terminal prompt in a Telnet session.
:zeek:id:`login_success`: :zeek:type:`event` Generated for successful Telnet/Rlogin logins.
:zeek:id:`login_terminal`: :zeek:type:`event` Generated for clients transmitting a terminal type in a Telnet session.
:zeek:id:`rsh_reply`: :zeek:type:`event` Generated for client side commands on an RSH connection.
:zeek:id:`rsh_request`: :zeek:type:`event` Generated for client side commands on an RSH connection.
====================================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: activating_encryption
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 367 367
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for Telnet sessions when encryption is activated. The Telnet
protocol includes options for negotiating encryption. When such a series of
options is successfully negotiated, the event engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
.. zeek:see:: authentication_accepted authentication_rejected authentication_skipped
login_confused login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. zeek:id:: authentication_accepted
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 279 279
:Type: :zeek:type:`event` (name: :zeek:type:`string`, c: :zeek:type:`connection`)
Generated when a Telnet authentication has been successful. The Telnet
protocol includes options for negotiating authentication. When such an
option is sent from client to server and the server replies that it accepts
the authentication, then the event engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param name: The authenticated name.
:param c: The connection.
.. zeek:see:: authentication_rejected authentication_skipped login_success
.. note:: This event inspects the corresponding Telnet option
while :zeek:id:`login_success` heuristically determines success by watching
session data.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: authentication_rejected
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 305 305
:Type: :zeek:type:`event` (name: :zeek:type:`string`, c: :zeek:type:`connection`)
Generated when a Telnet authentication has been unsuccessful. The Telnet
protocol includes options for negotiating authentication. When such an option
is sent from client to server and the server replies that it did not accept
the authentication, then the event engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param name: The attempted authentication name.
:param c: The connection.
.. zeek:see:: authentication_accepted authentication_skipped login_failure
.. note:: This event inspects the corresponding Telnet option
while :zeek:id:`login_success` heuristically determines failure by watching
session data.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: authentication_skipped
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 330 330
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for Telnet/Rlogin sessions when a pattern match indicates
that no authentication is performed.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
.. zeek:see:: authentication_accepted authentication_rejected direct_login_prompts
get_login_state login_failure_msgs login_non_failure_msgs login_prompts
login_success_msgs login_timeouts set_login_state
.. note:: The login analyzer depends on a set of script-level variables that
need to be configured with patterns identifying activity. This
configuration has not yet been ported, and
the analyzer is therefore not directly usable at the moment.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: bad_option
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 407 407
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for an ill-formed or unrecognized Telnet option.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
.. zeek:see:: inconsistent_option bad_option_termination authentication_accepted
authentication_rejected authentication_skipped login_confused
login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: bad_option_termination
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 427 427
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for a Telnet option that's incorrectly terminated.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
.. zeek:see:: inconsistent_option bad_option authentication_accepted
authentication_rejected authentication_skipped login_confused
login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: inconsistent_option
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 387 387
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for an inconsistent Telnet option. Telnet options are specified
by the client and server stating which options they are willing to
support vs. which they are not, and then instructing one another which in
fact they should or should not use for the current connection. If the event
engine sees a peer violate either what the other peer has instructed it to
do, or what it itself offered in terms of options in the past, then the
engine generates this event.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
.. zeek:see:: bad_option bad_option_termination authentication_accepted
authentication_rejected authentication_skipped login_confused
login_confused_text login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. zeek:id:: login_confused
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 195 195
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`, line: :zeek:type:`string`)
Generated when tracking of Telnet/Rlogin authentication failed. As Zeek's
*login* analyzer uses a number of heuristics to extract authentication
information, it may become confused. If it can no longer correctly track
the authentication dialog, it raises this event.
:param c: The connection.
:param msg: Gives the particular problem the heuristics detected (for example,
``multiple_login_prompts`` means that the engine saw several login
prompts in a row, without the type-ahead from the client side presumed
necessary to cause them)
:param line: The line of text that caused the heuristics to conclude they were
confused.
.. zeek:see:: login_confused_text login_display login_failure login_input_line login_output_line
login_prompt login_success login_terminal direct_login_prompts get_login_state
login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
login_timeouts set_login_state
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_confused_text
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 217 217
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
Generated after getting confused while tracking a Telnet/Rlogin
authentication dialog. The *login* analyzer generates this even for every
line of user input after it has reported :zeek:id:`login_confused` for a
connection.
:param c: The connection.
:param line: The line the user typed.
.. zeek:see:: login_confused login_display login_failure login_input_line
login_output_line login_prompt login_success login_terminal direct_login_prompts
get_login_state login_failure_msgs login_non_failure_msgs login_prompts
login_success_msgs login_timeouts set_login_state
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_display
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 253 253
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, display: :zeek:type:`string`)
Generated for clients transmitting an X11 DISPLAY in a Telnet session. This
information is extracted out of environment variables sent as Telnet options.
:param c: The connection.
:param display: The DISPLAY transmitted.
.. zeek:see:: login_confused login_confused_text login_failure login_input_line
login_output_line login_prompt login_success login_terminal
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_failure
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 95 95
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, user: :zeek:type:`string`, client_user: :zeek:type:`string`, password: :zeek:type:`string`, line: :zeek:type:`string`)
Generated for Telnet/Rlogin login failures. The *login* analyzer inspects
Telnet/Rlogin sessions to heuristically extract username and password
information as well as the text returned by the login server. This event is
raised if a login attempt appears to have been unsuccessful.
:param c: The connection.
:param user: The user name tried.
:param client_user: For Telnet connections, this is an empty string, but for Rlogin
connections, it is the client name passed in the initial authentication
information (to check against .rhosts).
:param password: The password tried.
:param line: The line of text that led the analyzer to conclude that the
authentication had failed.
.. zeek:see:: login_confused login_confused_text login_display login_input_line
login_output_line login_prompt login_success login_terminal direct_login_prompts
get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
login_timeouts set_login_state
.. note:: The login analyzer depends on a set of script-level variables that
need to be configured with patterns identifying login attempts. This
configuration has not yet been ported, and
the analyzer is therefore not directly usable at the moment.
.. todo:: Zeeks's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_input_line
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 149 149
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
Generated for lines of input on Telnet/Rlogin sessions. The line will have
control characters (such as in-band Telnet options) removed.
:param c: The connection.
:param line: The input line.
.. zeek:see:: login_confused login_confused_text login_display login_failure
login_output_line login_prompt login_success login_terminal rsh_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_output_line
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 167 167
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
Generated for lines of output on Telnet/Rlogin sessions. The line will have
control characters (such as in-band Telnet options) removed.
:param c: The connection.
:param line: The output line.
.. zeek:see:: login_confused login_confused_text login_display login_failure
login_input_line login_prompt login_success login_terminal rsh_reply
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_prompt
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 352 352
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, prompt: :zeek:type:`string`)
Generated for clients transmitting a terminal prompt in a Telnet session.
This information is extracted out of environment variables sent as Telnet
options.
See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
about the Telnet protocol.
:param c: The connection.
:param prompt: The TTYPROMPT transmitted.
.. zeek:see:: login_confused login_confused_text login_display login_failure
login_input_line login_output_line login_success login_terminal
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_success
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 131 131
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, user: :zeek:type:`string`, client_user: :zeek:type:`string`, password: :zeek:type:`string`, line: :zeek:type:`string`)
Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects
Telnet/Rlogin sessions to heuristically extract username and password
information as well as the text returned by the login server. This event is
raised if a login attempt appears to have been successful.
:param c: The connection.
:param user: The user name used.
:param client_user: For Telnet connections, this is an empty string, but for Rlogin
connections, it is the client name passed in the initial authentication
information (to check against .rhosts).
:param password: The password used.
:param line: The line of text that led the analyzer to conclude that the
authentication had succeeded.
.. zeek:see:: login_confused login_confused_text login_display login_failure
login_input_line login_output_line login_prompt login_terminal
direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs
login_prompts login_success_msgs login_timeouts set_login_state
.. note:: The login analyzer depends on a set of script-level variables that
need to be configured with patterns identifying login attempts. This
configuration has not yet been ported, and
the analyzer is therefore not directly usable at the moment.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: login_terminal
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 235 235
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, terminal: :zeek:type:`string`)
Generated for clients transmitting a terminal type in a Telnet session. This
information is extracted out of environment variables sent as Telnet options.
:param c: The connection.
:param terminal: The TERM value transmitted.
.. zeek:see:: login_confused login_confused_text login_display login_failure
login_input_line login_output_line login_prompt login_success
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to add a
call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
signature.
.. zeek:id:: rsh_reply
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 59 59
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, client_user: :zeek:type:`string`, server_user: :zeek:type:`string`, line: :zeek:type:`string`)
Generated for client side commands on an RSH connection.
See :rfc:`1258` for more information about the Rlogin/Rsh protocol.
:param c: The connection.
:param client_user: The client-side user name as sent in the initial protocol
handshake.
:param server_user: The server-side user name as sent in the initial protocol
handshake.
:param line: The command line sent in the request.
.. zeek:see:: rsh_request login_confused login_confused_text login_display
login_failure login_input_line login_output_line login_prompt login_success
login_terminal
.. note:: For historical reasons, these events are separate from the
``login_`` events. Ideally, they would all be handled uniquely.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: rsh_request
:source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 31 31
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, client_user: :zeek:type:`string`, server_user: :zeek:type:`string`, line: :zeek:type:`string`, new_session: :zeek:type:`bool`)
Generated for client side commands on an RSH connection.
See :rfc:`1258` for more information about the Rlogin/Rsh protocol.
:param c: The connection.
:param client_user: The client-side user name as sent in the initial protocol
handshake.
:param server_user: The server-side user name as sent in the initial protocol
handshake.
:param line: The command line sent in the request.
:param new_session: True if this is the first command of the Rsh session.
.. zeek:see:: rsh_reply login_confused login_confused_text login_display
login_failure login_input_line login_output_line login_prompt login_success
login_terminal
.. note:: For historical reasons, these events are separate from the
``login_`` events. Ideally, they would all be handled uniquely.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

71
doc/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,71 @@
:tocdepth: 3
base/bif/plugins/Zeek_Login.functions.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
================================================= ===================================================================
:zeek:id:`get_login_state`: :zeek:type:`function` Returns the state of the given login (Telnet or Rlogin) connection.
:zeek:id:`set_login_state`: :zeek:type:`function` Sets the login state of a connection with a login analyzer.
================================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: get_login_state
:source-code: base/bif/plugins/Zeek_Login.functions.bif.zeek 26 26
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`count`
Returns the state of the given login (Telnet or Rlogin) connection.
:param cid: The connection ID.
:returns: False if the connection is not active or is not tagged as a
login analyzer. Otherwise the function returns the state, which can
be one of:
- ``LOGIN_STATE_AUTHENTICATE``: The connection is in its
initial authentication dialog.
- ``LOGIN_STATE_LOGGED_IN``: The analyzer believes the user has
successfully authenticated.
- ``LOGIN_STATE_SKIP``: The analyzer has skipped any further
processing of the connection.
- ``LOGIN_STATE_CONFUSED``: The analyzer has concluded that it
does not correctly know the state of the connection, and/or
the username associated with it.
.. zeek:see:: set_login_state
.. zeek:id:: set_login_state
:source-code: base/bif/plugins/Zeek_Login.functions.bif.zeek 40 40
:Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, new_state: :zeek:type:`count`) : :zeek:type:`bool`
Sets the login state of a connection with a login analyzer.
:param cid: The connection ID.
:param new_state: The new state of the login analyzer. See
:zeek:id:`get_login_state` for possible values.
:returns: Returns false if *cid* is not an active connection
or is not tagged as a login analyzer, and true otherwise.
.. zeek:see:: get_login_state

15
doc/scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_MIME.consts.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

289
doc/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,289 @@
:tocdepth: 3
base/bif/plugins/Zeek_MIME.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================ =============================================================================
:zeek:id:`mime_all_data`: :zeek:type:`event` Generated for passing on all data decoded from a single email MIME
message.
:zeek:id:`mime_all_headers`: :zeek:type:`event` Generated for MIME headers extracted from email MIME entities, passing all
headers at once.
:zeek:id:`mime_begin_entity`: :zeek:type:`event` Generated when starting to parse an email MIME entity.
:zeek:id:`mime_content_hash`: :zeek:type:`event` Generated for decoded MIME entities extracted from email messages, passing on
their MD5 checksums.
:zeek:id:`mime_end_entity`: :zeek:type:`event` Generated when finishing parsing an email MIME entity.
:zeek:id:`mime_entity_data`: :zeek:type:`event` Generated for data decoded from an email MIME entity.
:zeek:id:`mime_event`: :zeek:type:`event` Generated for errors found when decoding email MIME entities.
:zeek:id:`mime_one_header`: :zeek:type:`event` Generated for individual MIME headers extracted from email MIME
entities.
:zeek:id:`mime_segment_data`: :zeek:type:`event` Generated for chunks of decoded MIME data from email MIME entities.
================================================ =============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: mime_all_data
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 164 164
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for passing on all data decoded from a single email MIME
message. If an email message has more than one MIME entity, this event
combines all their data into a single value for analysis. Note that because
of the potentially significant buffering necessary, using this event can be
expensive.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param length: The length of *data*.
:param data: The raw data of all MIME entities concatenated.
.. zeek:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data
.. note:: While Zeek also decodes MIME entities extracted from HTTP
sessions, there's no corresponding event for that currently.
.. zeek:id:: mime_all_headers
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 85 85
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hlist: :zeek:type:`mime_header_list`)
Generated for MIME headers extracted from email MIME entities, passing all
headers at once. MIME is a protocol-independent data format for encoding
text and files, along with corresponding metadata, for transmission.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param hlist: A *table* containing all headers extracted from the current entity.
The table is indexed by the position of the header (1 for the first,
2 for the second, etc.).
.. zeek:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data
http_header http_all_headers
.. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
however, it raises :zeek:id:`http_header` instead.
.. zeek:id:: mime_begin_entity
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 21 21
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated when starting to parse an email MIME entity. MIME is a
protocol-independent data format for encoding text and files, along with
corresponding metadata, for transmission. Zeek raises this event when it
begins parsing a MIME entity extracted from an email protocol.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
.. zeek:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
http_begin_entity
.. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
however, it raises :zeek:id:`http_begin_entity` instead.
.. zeek:id:: mime_content_hash
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 207 207
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, content_len: :zeek:type:`count`, hash_value: :zeek:type:`string`)
Generated for decoded MIME entities extracted from email messages, passing on
their MD5 checksums. Zeek computes the MD5 over the complete decoded data of
each MIME entity.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param content_len: The length of the entity being hashed.
:param hash_value: The MD5 hash.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
mime_entity_data mime_event mime_one_header mime_segment_data
.. note:: While Zeek also decodes MIME entities extracted from HTTP
sessions, there's no corresponding event for that currently.
.. zeek:id:: mime_end_entity
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 41 41
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated when finishing parsing an email MIME entity. MIME is a
protocol-independent data format for encoding text and files, along with
corresponding metadata, for transmission. Zeek raises this event when it
finished parsing a MIME entity extracted from an email protocol.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
http_end_entity
.. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
however, it raises :zeek:id:`http_end_entity` instead.
.. zeek:id:: mime_entity_data
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 140 140
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for data decoded from an email MIME entity. This event delivers
the complete content of a single MIME entity with the quoted-printable and
and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`,
which passes on a sequence of data chunks as they come in. While
``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is
more efficient as Zeek does not need to buffer the data. Thus, if possible,
the latter should be preferred.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param length: The length of *data*.
:param data: The raw data of the complete entity.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_event mime_one_header mime_segment_data
.. note:: While Zeek also decodes MIME entities extracted from HTTP
sessions, there's no corresponding event for that currently.
.. zeek:id:: mime_event
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 185 185
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, event_type: :zeek:type:`string`, detail: :zeek:type:`string`)
Generated for errors found when decoding email MIME entities.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param event_type: A string describing the general category of the problem found
(e.g., ``illegal format``).
:param detail: Further more detailed description of the error.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event
.. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
however, it raises :zeek:id:`http_event` instead.
.. zeek:id:: mime_one_header
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 62 62
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, h: :zeek:type:`mime_header_rec`)
Generated for individual MIME headers extracted from email MIME
entities. MIME is a protocol-independent data format for encoding text and
files, along with corresponding metadata, for transmission.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param h: The parsed MIME header.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_entity_data mime_event mime_segment_data
http_header http_all_headers
.. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
however, it raises :zeek:id:`http_header` instead.
.. zeek:id:: mime_segment_data
:source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 114 114
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for chunks of decoded MIME data from email MIME entities. MIME
is a protocol-independent data format for encoding text and files, along with
corresponding metadata, for transmission. As Zeek parses the data of an
entity, it raises a sequence of these events, each coming as soon as a new
chunk of data is available. In contrast, there is also
:zeek:id:`mime_entity_data`, which passes all of an entities data at once
in a single block. While the latter is more convenient to handle,
``mime_segment_data`` is more efficient as Zeek does not need to buffer
the data. Thus, if possible, this event should be preferred.
Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
`Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
about MIME.
:param c: The connection.
:param length: The length of *data*.
:param data: The raw data of one segment of the current entity.
.. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
mime_segment_length mime_segment_overlap_length
.. note:: Zeek also extracts MIME data from HTTP sessions. For those,
however, it raises :zeek:id:`http_entity_data` (sic!) instead.

239
doc/scripts/base/bif/plugins/Zeek_MQTT.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,239 @@
:tocdepth: 3
base/bif/plugins/Zeek_MQTT.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ===========================================================================================
:zeek:id:`mqtt_connack`: :zeek:type:`event` Generated for MQTT acknowledge connection messages
:zeek:id:`mqtt_connect`: :zeek:type:`event` Generated for MQTT "client requests a connection" messages
:zeek:id:`mqtt_disconnect`: :zeek:type:`event` Generated for MQTT disconnect messages sent by the client when it is disconnecting cleanly.
:zeek:id:`mqtt_pingreq`: :zeek:type:`event` Generated for MQTT ping requests sent by the client.
:zeek:id:`mqtt_pingresp`: :zeek:type:`event` Generated for MQTT ping responses sent by the server.
:zeek:id:`mqtt_puback`: :zeek:type:`event` Generated for MQTT publish acknowledgement messages
:zeek:id:`mqtt_pubcomp`: :zeek:type:`event` Generated for MQTT publish complete messages (QoS 2 publish received, part 3)
:zeek:id:`mqtt_publish`: :zeek:type:`event` Generated for MQTT publish messages
:zeek:id:`mqtt_pubrec`: :zeek:type:`event` Generated for MQTT publish received messages (QoS 2 publish received, part 1)
:zeek:id:`mqtt_pubrel`: :zeek:type:`event` Generated for MQTT publish release messages (QoS 2 publish received, part 2)
:zeek:id:`mqtt_suback`: :zeek:type:`event` Generated for MQTT subscribe messages
:zeek:id:`mqtt_subscribe`: :zeek:type:`event` Generated for MQTT subscribe messages
:zeek:id:`mqtt_unsuback`: :zeek:type:`event` Generated for MQTT unsubscribe acknowledgements sent by the server
:zeek:id:`mqtt_unsubscribe`: :zeek:type:`event` Generated for MQTT unsubscribe messages sent by the client
=============================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: mqtt_connack
:source-code: base/protocols/mqtt/main.zeek 190 197
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`MQTT::ConnectAckMsg`)
Generated for MQTT acknowledge connection messages
:param c: The connection
:param msg: MQTT connect ack message fields.
.. zeek:id:: mqtt_connect
:source-code: base/protocols/mqtt/main.zeek 177 188
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`MQTT::ConnectMsg`)
Generated for MQTT "client requests a connection" messages
:param c: The connection
:param msg: MQTT connect message fields.
.. zeek:id:: mqtt_disconnect
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 127 127
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for MQTT disconnect messages sent by the client when it is disconnecting cleanly.
:param c: The connection
.. zeek:id:: mqtt_pingreq
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 115 115
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for MQTT ping requests sent by the client.
:param c: The connection
.. zeek:id:: mqtt_pingresp
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 121 121
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for MQTT ping responses sent by the server.
:param c: The connection
.. zeek:id:: mqtt_puback
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 37 37
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
Generated for MQTT publish acknowledgement messages
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_pubcomp
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 67 67
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
Generated for MQTT publish complete messages (QoS 2 publish received, part 3)
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_publish
:source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 27 27
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`, msg: :zeek:type:`MQTT::PublishMsg`)
Generated for MQTT publish messages
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg: The MQTT publish message record.
.. zeek:id:: mqtt_pubrec
:source-code: base/protocols/mqtt/main.zeek 257 266
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
Generated for MQTT publish received messages (QoS 2 publish received, part 1)
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_pubrel
:source-code: base/protocols/mqtt/main.zeek 268 277
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
Generated for MQTT publish release messages (QoS 2 publish received, part 2)
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_suback
:source-code: base/protocols/mqtt/main.zeek 320 333
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, granted_qos: :zeek:type:`count`)
Generated for MQTT subscribe messages
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_subscribe
:source-code: base/protocols/mqtt/main.zeek 306 318
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, topics: :zeek:type:`string_vec`, requested_qos: :zeek:type:`index_vec`)
Generated for MQTT subscribe messages
:param c: The connection
:param is_orig: Direction in which the message was sent
:param msg_id: The id value for the message.
:param topics: The topics being subscribed to
:param requested_qos: The desired QoS option associated with each topic.
.. zeek:id:: mqtt_unsuback
:source-code: base/protocols/mqtt/main.zeek 348 360
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`)
Generated for MQTT unsubscribe acknowledgements sent by the server
:param c: The connection
:param msg_id: The id value for the message.
.. zeek:id:: mqtt_unsubscribe
:source-code: base/protocols/mqtt/main.zeek 335 346
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, topics: :zeek:type:`string_vec`)
Generated for MQTT unsubscribe messages sent by the client
:param c: The connection
:param msg_id: The id value for the message.
:param topics: The topics being unsubscribed from

15
doc/scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_MQTT.types.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

650
doc/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,650 @@
:tocdepth: 3
base/bif/plugins/Zeek_Modbus.events.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================================ ======================================================================
:zeek:id:`modbus_diagnostics_request`: :zeek:type:`event` Generated for a Modbus Diagnostics request.
:zeek:id:`modbus_diagnostics_response`: :zeek:type:`event` Generated for a Modbus Diagnostics response.
:zeek:id:`modbus_encap_interface_transport_request`: :zeek:type:`event` Generated for a Modbus Encapsulated Interface Transport request.
:zeek:id:`modbus_encap_interface_transport_response`: :zeek:type:`event` Generated for a Modbus Encapsulated Interface Transport response.
:zeek:id:`modbus_exception`: :zeek:type:`event` Generated for any Modbus exception message.
:zeek:id:`modbus_mask_write_register_request`: :zeek:type:`event` Generated for a Modbus mask write register request.
:zeek:id:`modbus_mask_write_register_response`: :zeek:type:`event` Generated for a Modbus mask write register request.
:zeek:id:`modbus_message`: :zeek:type:`event` Generated for any Modbus message regardless if the particular function
is further supported or not.
:zeek:id:`modbus_read_coils_request`: :zeek:type:`event` Generated for a Modbus read coils request.
:zeek:id:`modbus_read_coils_response`: :zeek:type:`event` Generated for a Modbus read coils response.
:zeek:id:`modbus_read_discrete_inputs_request`: :zeek:type:`event` Generated for a Modbus read discrete inputs request.
:zeek:id:`modbus_read_discrete_inputs_response`: :zeek:type:`event` Generated for a Modbus read discrete inputs response.
:zeek:id:`modbus_read_fifo_queue_request`: :zeek:type:`event` Generated for a Modbus read FIFO queue request.
:zeek:id:`modbus_read_fifo_queue_response`: :zeek:type:`event` Generated for a Modbus read FIFO queue response.
:zeek:id:`modbus_read_file_record_request`: :zeek:type:`event` Generated for a Modbus read file record request.
:zeek:id:`modbus_read_file_record_response`: :zeek:type:`event` Generated for a Modbus read file record response.
:zeek:id:`modbus_read_holding_registers_request`: :zeek:type:`event` Generated for a Modbus read holding registers request.
:zeek:id:`modbus_read_holding_registers_response`: :zeek:type:`event` Generated for a Modbus read holding registers response.
:zeek:id:`modbus_read_input_registers_request`: :zeek:type:`event` Generated for a Modbus read input registers request.
:zeek:id:`modbus_read_input_registers_response`: :zeek:type:`event` Generated for a Modbus read input registers response.
:zeek:id:`modbus_read_write_multiple_registers_request`: :zeek:type:`event` Generated for a Modbus read/write multiple registers request.
:zeek:id:`modbus_read_write_multiple_registers_response`: :zeek:type:`event` Generated for a Modbus read/write multiple registers response.
:zeek:id:`modbus_write_file_record_request`: :zeek:type:`event` Generated for a Modbus write file record request.
:zeek:id:`modbus_write_file_record_response`: :zeek:type:`event` Generated for a Modbus write file record response.
:zeek:id:`modbus_write_multiple_coils_request`: :zeek:type:`event` Generated for a Modbus write multiple coils request.
:zeek:id:`modbus_write_multiple_coils_response`: :zeek:type:`event` Generated for a Modbus write multiple coils response.
:zeek:id:`modbus_write_multiple_registers_request`: :zeek:type:`event` Generated for a Modbus write multiple registers request.
:zeek:id:`modbus_write_multiple_registers_response`: :zeek:type:`event` Generated for a Modbus write multiple registers response.
:zeek:id:`modbus_write_single_coil_request`: :zeek:type:`event` Generated for a Modbus write single coil request.
:zeek:id:`modbus_write_single_coil_response`: :zeek:type:`event` Generated for a Modbus write single coil response.
:zeek:id:`modbus_write_single_register_request`: :zeek:type:`event` Generated for a Modbus write single register request.
:zeek:id:`modbus_write_single_register_response`: :zeek:type:`event` Generated for a Modbus write single register response.
============================================================================ ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: modbus_diagnostics_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 341 341
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, subfunction: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for a Modbus Diagnostics request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param subfunction: The subfunction for the diagnostics request.
:param data: The data passed in the diagnostics request.
.. zeek:id:: modbus_diagnostics_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 353 353
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, subfunction: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for a Modbus Diagnostics response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param subfunction: The subfunction for the diagnostics response.
:param data: The data passed in the diagnostics response.
.. zeek:id:: modbus_encap_interface_transport_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 365 365
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, mei_type: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for a Modbus Encapsulated Interface Transport request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param mei_type: The MEI type for the request.
:param data: The MEI type specific data passed in the request.
.. zeek:id:: modbus_encap_interface_transport_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 377 377
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, mei_type: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for a Modbus Encapsulated Interface Transport response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param mei_type: The MEI type for the response.
:param data: The MEI type specific data passed in the response.
.. zeek:id:: modbus_exception
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 22 22
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, code: :zeek:type:`count`)
Generated for any Modbus exception message.
:param c: The connection.
:param headers: The headers for the modbus function.
:param code: The exception code.
.. zeek:id:: modbus_mask_write_register_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 268 268
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, and_mask: :zeek:type:`count`, or_mask: :zeek:type:`count`)
Generated for a Modbus mask write register request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the register where the masks should be applied.
:param and_mask: The value of the logical AND mask to apply to the register.
:param or_mask: The value of the logical OR mask to apply to the register.
.. zeek:id:: modbus_mask_write_register_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 282 282
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, and_mask: :zeek:type:`count`, or_mask: :zeek:type:`count`)
Generated for a Modbus mask write register request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the register where the masks were applied.
:param and_mask: The value of the logical AND mask applied register.
:param or_mask: The value of the logical OR mask applied to the register.
.. zeek:id:: modbus_message
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 12 12
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, is_orig: :zeek:type:`bool`)
Generated for any Modbus message regardless if the particular function
is further supported or not.
:param c: The connection.
:param headers: The headers for the modbus function.
:param is_orig: True if the event is raised for the originator side.
.. zeek:id:: modbus_read_coils_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 34 34
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus read coils request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first coil to be read.
:param quantity: The number of coils to be read.
.. zeek:id:: modbus_read_coils_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 44 44
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, coils: :zeek:type:`ModbusCoils`)
Generated for a Modbus read coils response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param coils: The coil values returned from the device.
.. zeek:id:: modbus_read_discrete_inputs_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 56 56
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus read discrete inputs request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first coil to be read.
:param quantity: The number of coils to be read.
.. zeek:id:: modbus_read_discrete_inputs_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 66 66
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, coils: :zeek:type:`ModbusCoils`)
Generated for a Modbus read discrete inputs response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param coils: The coil values returned from the device.
.. zeek:id:: modbus_read_fifo_queue_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 319 319
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`)
Generated for a Modbus read FIFO queue request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The address of the FIFO queue to read.
.. zeek:id:: modbus_read_fifo_queue_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 329 329
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, fifos: :zeek:type:`ModbusRegisters`)
Generated for a Modbus read FIFO queue response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param fifos: The register values read from the FIFO queue on the device.
.. zeek:id:: modbus_read_file_record_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 218 218
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileRecordRequests`)
Generated for a Modbus read file record request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param byte_count: The full byte count for all of the reference records that follow.
:param refs: A vector of reference records.
.. zeek:id:: modbus_read_file_record_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 230 230
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileRecordResponses`)
Generated for a Modbus read file record response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param byte_count: The full byte count for all of the reference records that follow.
:param refs: A vector of reference records.
.. zeek:id:: modbus_read_holding_registers_request
:source-code: policy/protocols/modbus/track-memmap.zeek 62 65
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus read holding registers request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first register to be read.
:param quantity: The number of registers to be read.
.. zeek:id:: modbus_read_holding_registers_response
:source-code: policy/protocols/modbus/track-memmap.zeek 67 101
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, registers: :zeek:type:`ModbusRegisters`)
Generated for a Modbus read holding registers response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param registers: The register values returned from the device.
.. zeek:id:: modbus_read_input_registers_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 100 100
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus read input registers request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first register to be read.
:param quantity: The number of registers to be read.
.. zeek:id:: modbus_read_input_registers_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 110 110
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, registers: :zeek:type:`ModbusRegisters`)
Generated for a Modbus read input registers response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param registers: The register values returned from the device.
.. zeek:id:: modbus_read_write_multiple_registers_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 298 298
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, read_start_address: :zeek:type:`count`, read_quantity: :zeek:type:`count`, write_start_address: :zeek:type:`count`, write_registers: :zeek:type:`ModbusRegisters`)
Generated for a Modbus read/write multiple registers request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param read_start_address: The memory address of the first register to be read.
:param read_quantity: The number of registers to read.
:param write_start_address: The memory address of the first register to be written.
:param write_registers: The values to be written to the registers.
.. zeek:id:: modbus_read_write_multiple_registers_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 309 309
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, written_registers: :zeek:type:`ModbusRegisters`)
Generated for a Modbus read/write multiple registers response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param written_registers: The register values read from the registers specified in
the request.
.. zeek:id:: modbus_write_file_record_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 242 242
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileReferences`)
Generated for a Modbus write file record request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param byte_count: The full byte count for all of the reference records that follow.
:param refs: A vector of reference records.
.. zeek:id:: modbus_write_file_record_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 254 254
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileReferences`)
Generated for a Modbus write file record response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param byte_count: The full byte count for all of the reference records that follow.
:param refs: A vector of reference records.
.. zeek:id:: modbus_write_multiple_coils_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 170 170
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, coils: :zeek:type:`ModbusCoils`)
Generated for a Modbus write multiple coils request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first coil to be written.
:param coils: The values to be written to the coils.
.. zeek:id:: modbus_write_multiple_coils_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 182 182
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus write multiple coils response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first coil that was written.
:param quantity: The quantity of coils that were written.
.. zeek:id:: modbus_write_multiple_registers_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 194 194
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, registers: :zeek:type:`ModbusRegisters`)
Generated for a Modbus write multiple registers request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first register to be written.
:param registers: The values to be written to the registers.
.. zeek:id:: modbus_write_multiple_registers_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 206 206
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
Generated for a Modbus write multiple registers response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param start_address: The memory address of the first register that was written.
:param quantity: The quantity of registers that were written.
.. zeek:id:: modbus_write_single_coil_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 122 122
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`bool`)
Generated for a Modbus write single coil request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the coil to be written.
:param value: The value to be written to the coil.
.. zeek:id:: modbus_write_single_coil_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 134 134
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`bool`)
Generated for a Modbus write single coil response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the coil that was written.
:param value: The value that was written to the coil.
.. zeek:id:: modbus_write_single_register_request
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 146 146
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for a Modbus write single register request.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the register to be written.
:param value: The value to be written to the register.
.. zeek:id:: modbus_write_single_register_response
:source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 158 158
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`count`)
Generated for a Modbus write single register response.
:param c: The connection.
:param headers: The headers for the modbus function.
:param address: The memory address of the register that was written.
:param value: The value that was written to the register.

267
doc/scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,267 @@
:tocdepth: 3
base/bif/plugins/Zeek_MySQL.events.bif.zeek
===========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================== ======================================================================================================
:zeek:id:`mysql_auth_more_data`: :zeek:type:`event` Generated for opaque authentication data exchanged between client and server
after the client's handshake packet, but before the server replied with
an OK_Packet
:zeek:id:`mysql_auth_plugin`: :zeek:type:`event` Generated for information about plugin authentication within handshake packets.
:zeek:id:`mysql_auth_switch_request`: :zeek:type:`event` Generated for a server packet with an auth switch request.
:zeek:id:`mysql_change_user`: :zeek:type:`event` Generated for a change user command from a MySQL client.
:zeek:id:`mysql_command_request`: :zeek:type:`event` Generated for a command request from a MySQL client.
:zeek:id:`mysql_eof`: :zeek:type:`event` Generated for a MySQL EOF packet.
:zeek:id:`mysql_error`: :zeek:type:`event` Generated for an unsuccessful MySQL response.
:zeek:id:`mysql_handshake`: :zeek:type:`event` Generated for a client handshake response packet, which includes the username the client is attempting
to connect as.
:zeek:id:`mysql_ok`: :zeek:type:`event` Generated for a successful MySQL response.
:zeek:id:`mysql_result_row`: :zeek:type:`event` Generated for each MySQL ResultsetRow response packet.
:zeek:id:`mysql_server_version`: :zeek:type:`event` Generated for the initial server handshake packet, which includes the MySQL server version.
:zeek:id:`mysql_ssl_request`: :zeek:type:`event` Generated for a short client handshake response packet with the CLIENT_SSL
flag set.
======================================================== ======================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: mysql_auth_more_data
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 166 166
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
Generated for opaque authentication data exchanged between client and server
after the client's handshake packet, but before the server replied with
an OK_Packet
Data is specific to the plugin auth mechanism used by client and server.
:param c: The connection.
:param is_orig: True if this is from the client, false if from the server.
:param data: More authentication data.
.. zeek:see:: mysql_handshake mysql_auth_switch_request
.. zeek:id:: mysql_auth_plugin
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 138 138
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, data: :zeek:type:`string`)
Generated for information about plugin authentication within handshake packets.
:param c: The connection.
:param is_orig: True if this is from the client, false if from the server.
:param name: Name of the authentication plugin.
:param data: The initial auth data. From the server, it is the concatenation of
auth_plugin_data_part_1 and auth_plugin_data_part_2 in the handshake.
For the client it is the auth_response in the handshake response.
.. zeek:see:: mysql_handshake mysql_auth_switch_request mysql_auth_more_data
.. zeek:id:: mysql_auth_switch_request
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 150 150
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, data: :zeek:type:`string`)
Generated for a server packet with an auth switch request.
:param c: The connection.
:param name: The plugin name.
:param data: Initial authentication data for the plugin.
.. zeek:see:: mysql_handshake mysql_auth_more_data
.. zeek:id:: mysql_change_user
:source-code: base/protocols/mysql/main.zeek 87 90
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, username: :zeek:type:`string`)
Generated for a change user command from a MySQL client.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param username: The username supplied by the client
.. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
.. zeek:id:: mysql_command_request
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 16 16
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, command: :zeek:type:`count`, arg: :zeek:type:`string`)
Generated for a command request from a MySQL client.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param command: The numerical code of the command issued.
:param arg: The argument for the command (empty string if not provided).
.. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
.. zeek:id:: mysql_eof
:source-code: base/protocols/mysql/main.zeek 120 137
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_intermediate: :zeek:type:`bool`)
Generated for a MySQL EOF packet.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param is_intermediate: True if this is an EOF packet between the column definition and the rows, false if a final EOF.
.. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
.. zeek:id:: mysql_error
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 44 44
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`count`, msg: :zeek:type:`string`)
Generated for an unsuccessful MySQL response.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param code: The error code.
:param msg: Any extra details about the error (empty string if not provided).
.. zeek:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake
.. zeek:id:: mysql_handshake
:source-code: base/protocols/mysql/main.zeek 52 65
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, username: :zeek:type:`string`)
Generated for a client handshake response packet, which includes the username the client is attempting
to connect as.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param username: The username supplied by the client
.. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_server_version mysql_ssl_request
.. zeek:id:: mysql_ok
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 57 57
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, affected_rows: :zeek:type:`count`)
Generated for a successful MySQL response.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param affected_rows: The number of rows that were affected.
.. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
.. zeek:id:: mysql_result_row
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 83 83
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, row: :zeek:type:`string_vec`)
Generated for each MySQL ResultsetRow response packet.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param row: The result row data.
.. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok
.. zeek:id:: mysql_server_version
:source-code: policy/protocols/mysql/software.zeek 14 20
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, ver: :zeek:type:`string`)
Generated for the initial server handshake packet, which includes the MySQL server version.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
:param ver: The server version string.
.. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_handshake
.. zeek:id:: mysql_ssl_request
:source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 122 122
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for a short client handshake response packet with the CLIENT_SSL
flag set. Usually the client will initiate a TLS handshake afterwards.
See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
for more information about the MySQL protocol.
:param c: The connection.
.. zeek:see:: mysql_handshake

15
doc/scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_NCP.consts.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

88
doc/scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,88 @@
:tocdepth: 3
base/bif/plugins/Zeek_NCP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================== ===================================================
:zeek:id:`ncp_reply`: :zeek:type:`event` Generated for NCP replies (Netware Core Protocol).
:zeek:id:`ncp_request`: :zeek:type:`event` Generated for NCP requests (Netware Core Protocol).
========================================== ===================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: ncp_reply
:source-code: base/bif/plugins/Zeek_NCP.events.bif.zeek 49 49
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, frame_type: :zeek:type:`count`, length: :zeek:type:`count`, req_frame: :zeek:type:`count`, req_func: :zeek:type:`count`, completion_code: :zeek:type:`count`)
Generated for NCP replies (Netware Core Protocol).
See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for
more information about the NCP protocol.
:param c: The connection.
:param frame_type: The frame type, as specified by the protocol.
:param length: The length of the request body, excluding the frame header.
:param req_frame: The frame type from the corresponding request.
:param req_func: The function code from the corresponding request.
:param completion_code: The reply's completion code, as specified by the protocol.
.. zeek:see:: ncp_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: ncp_request
:source-code: base/bif/plugins/Zeek_NCP.events.bif.zeek 23 23
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, frame_type: :zeek:type:`count`, length: :zeek:type:`count`, func: :zeek:type:`count`)
Generated for NCP requests (Netware Core Protocol).
See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for
more information about the NCP protocol.
:param c: The connection.
:param frame_type: The frame type, as specified by the protocol.
:param length: The length of the request body, excluding the frame header.
:param func: The requested function, as specified by the protocol.
.. zeek:see:: ncp_reply
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

70
doc/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,70 @@
:tocdepth: 3
base/bif/plugins/Zeek_NTLM.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================ ============================================================================
:zeek:id:`ntlm_authenticate`: :zeek:type:`event` Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
:zeek:id:`ntlm_challenge`: :zeek:type:`event` Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
:zeek:id:`ntlm_negotiate`: :zeek:type:`event` Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
================================================ ============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: ntlm_authenticate
:source-code: base/protocols/ntlm/main.zeek 85 95
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, request: :zeek:type:`NTLM::Authenticate`)
Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
:param c: The connection.
:param request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
.. zeek:see:: ntlm_negotiate ntlm_challenge
.. zeek:id:: ntlm_challenge
:source-code: base/protocols/ntlm/main.zeek 69 83
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, challenge: :zeek:type:`NTLM::Challenge`)
Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
:param c: The connection.
:param negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
.. zeek:see:: ntlm_negotiate ntlm_authenticate
.. zeek:id:: ntlm_negotiate
:source-code: base/protocols/ntlm/main.zeek 64 67
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, negotiate: :zeek:type:`NTLM::Negotiate`)
Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
:param c: The connection.
:param negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
.. zeek:see:: ntlm_challenge ntlm_authenticate

16
doc/scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_NTLM.types.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: NTLM
:Namespaces: GLOBAL, NTLM
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

43
doc/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/bif/plugins/Zeek_NTP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================== ===============================
:zeek:id:`ntp_message`: :zeek:type:`event` Generated for all NTP messages.
========================================== ===============================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: ntp_message
:source-code: base/bif/plugins/Zeek_NTP.events.bif.zeek 15 15
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`NTP::Message`)
Generated for all NTP messages. Different from many other of Zeek's events,
this one is generated for both client-side and server-side messages.
See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
more information about the NTP protocol.
:param c: The connection record describing the corresponding UDP flow.
:param is_orig: True if the message was sent by the originator.
:param msg: The parsed NTP message.

16
doc/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_NTP.types.bif.zeek
========================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: NTP
:Namespaces: GLOBAL, NTP
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

284
doc/scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,284 @@
:tocdepth: 3
base/bif/plugins/Zeek_NetBIOS.events.bif.zeek
=============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================================== =====================================================================
:zeek:id:`netbios_session_accepted`: :zeek:type:`event` Generated for NetBIOS messages of type *positive session response*.
:zeek:id:`netbios_session_keepalive`: :zeek:type:`event` Generated for NetBIOS messages of type *keep-alive*.
:zeek:id:`netbios_session_message`: :zeek:type:`event` Generated for all NetBIOS SSN and DGM messages.
:zeek:id:`netbios_session_raw_message`: :zeek:type:`event` Generated for NetBIOS messages of type *session message* that are not
carrying an SMB payload.
:zeek:id:`netbios_session_rejected`: :zeek:type:`event` Generated for NetBIOS messages of type *negative session response*.
:zeek:id:`netbios_session_request`: :zeek:type:`event` Generated for NetBIOS messages of type *session request*.
:zeek:id:`netbios_session_ret_arg_resp`: :zeek:type:`event` Generated for NetBIOS messages of type *retarget response*.
=========================================================== =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: netbios_session_accepted
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 92 92
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *positive session response*. Zeek's
NetBIOS analyzer processes the NetBIOS session service running on TCP port
139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. zeek:see:: netbios_session_keepalive netbios_session_message
netbios_session_raw_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_keepalive
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 217 217
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *keep-alive*. Zeek's NetBIOS analyzer
processes the NetBIOS session service running on TCP port 139, and (despite
its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. zeek:see:: netbios_session_accepted netbios_session_message
netbios_session_raw_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_message
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 34 34
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_type: :zeek:type:`count`, data_len: :zeek:type:`count`)
Generated for all NetBIOS SSN and DGM messages. Zeek's NetBIOS analyzer
processes the NetBIOS session service running on TCP port 139, and (despite
its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param is_orig: True if the message was sent by the originator of the connection.
:param msg_type: The general type of message, as defined in Section 4.3.1 of
:rfc:`1002`.
:param data_len: The length of the message's payload.
.. zeek:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_raw_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_raw_message
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 157 157
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *session message* that are not
carrying an SMB payload.
NetBIOS analyzer processes the NetBIOS session service running on TCP port
139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param is_orig: True if the message was sent by the originator of the connection.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header (i.e., the ``user_data``).
.. zeek:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_rejected netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: This is an oddly named event. In fact, it's probably an odd event
to have to begin with.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_rejected
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 121 121
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *negative session response*. Zeek's
NetBIOS analyzer processes the NetBIOS session service running on TCP port
139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. zeek:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_raw_message netbios_session_request
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_request
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 63 63
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *session request*. Zeek's NetBIOS
analyzer processes the NetBIOS session service running on TCP port 139, and
(despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. zeek:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_raw_message netbios_session_rejected
netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: netbios_session_ret_arg_resp
:source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 188 188
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
Generated for NetBIOS messages of type *retarget response*. Zeek's NetBIOS
analyzer processes the NetBIOS session service running on TCP port 139, and
(despite its name!) the NetBIOS datagram service on UDP port 138.
See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
about NetBIOS. :rfc:`1002` describes
the packet format for NetBIOS over TCP/IP, which Zeek parses.
:param c: The connection, which may be TCP or UDP, depending on the type of the
NetBIOS session.
:param msg: The raw payload of the message sent, excluding the common NetBIOS
header.
.. zeek:see:: netbios_session_accepted netbios_session_keepalive
netbios_session_message netbios_session_raw_message netbios_session_rejected
netbios_session_request decode_netbios_name decode_netbios_name_type
.. note:: These days, NetBIOS is primarily used as a transport mechanism for
`SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
.. todo:: This is an oddly named event.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

58
doc/scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,58 @@
:tocdepth: 3
base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
========================================================== ================================================================
:zeek:id:`decode_netbios_name`: :zeek:type:`function` Decode a NetBIOS name.
:zeek:id:`decode_netbios_name_type`: :zeek:type:`function` Converts a NetBIOS name type to its corresponding numeric value.
========================================================== ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: decode_netbios_name
:source-code: base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek 16 16
:Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`string`
Decode a NetBIOS name. See https://jeffpar.github.io/kbarchive/kb/194/Q194203/.
:param name: The encoded NetBIOS name, e.g., ``"FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF"``.
:returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAM"``. An empty
string is returned if the argument is not a valid NetBIOS encoding
(though an encoding that would decode to something that includes
only null-bytes or space-characters also yields an empty string).
.. zeek:see:: decode_netbios_name_type
.. zeek:id:: decode_netbios_name_type
:source-code: base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek 27 27
:Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`count`
Converts a NetBIOS name type to its corresponding numeric value.
See https://en.wikipedia.org/wiki/NetBIOS#NetBIOS_Suffixes.
:param name: An encoded NetBIOS name.
:returns: The numeric value of *name* or 256 if it's not a valid encoding.
.. zeek:see:: decode_netbios_name

16
doc/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_NoneWriter.none.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: LogNone
:Namespaces: GLOBAL, LogNone
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

115
doc/scripts/base/bif/plugins/Zeek_PE.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,115 @@
:tocdepth: 3
base/bif/plugins/Zeek_PE.events.bif.zeek
========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================= ===================================================================
:zeek:id:`pe_dos_code`: :zeek:type:`event` A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
:zeek:id:`pe_dos_header`: :zeek:type:`event` A :abbr:`PE (Portable Executable)` file DOS header was parsed.
:zeek:id:`pe_file_header`: :zeek:type:`event` A :abbr:`PE (Portable Executable)` file file header was parsed.
:zeek:id:`pe_optional_header`: :zeek:type:`event` A :abbr:`PE (Portable Executable)` file optional header was parsed.
:zeek:id:`pe_section_header`: :zeek:type:`event` A :abbr:`PE (Portable Executable)` file section header was parsed.
================================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: pe_dos_code
:source-code: base/bif/plugins/Zeek_PE.events.bif.zeek 25 25
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, code: :zeek:type:`string`)
A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
The stub is a valid application that runs under MS-DOS, by default
to inform the user that the program can't be run in DOS mode.
:param f: The file.
:param code: The DOS stub
.. zeek:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header
.. zeek:id:: pe_dos_header
:source-code: base/files/pe/main.zeek 72 75
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::DOSHeader`)
A :abbr:`PE (Portable Executable)` file DOS header was parsed.
This is the top-level header and contains information like the
size of the file, initial value of registers, etc.
:param f: The file.
:param h: The parsed DOS header information.
.. zeek:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header
.. zeek:id:: pe_file_header
:source-code: base/files/pe/main.zeek 77 90
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::FileHeader`)
A :abbr:`PE (Portable Executable)` file file header was parsed.
This header contains information like the target machine,
the timestamp when the file was created, the number of sections, and
pointers to other parts of the file.
:param f: The file.
:param h: The parsed file header information.
.. zeek:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header
.. zeek:id:: pe_optional_header
:source-code: base/files/pe/main.zeek 92 119
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::OptionalHeader`)
A :abbr:`PE (Portable Executable)` file optional header was parsed.
This header is required for executable files, but not for object files.
It contains information like OS requirements to execute the file, the
original entry point address, and information needed to load the file
into memory.
:param f: The file.
:param h: The parsed optional header information.
.. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header
.. zeek:id:: pe_section_header
:source-code: base/files/pe/main.zeek 121 132
:Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::SectionHeader`)
A :abbr:`PE (Portable Executable)` file section header was parsed.
This header contains information like the section name, size, address,
and characteristics.
:param f: The file.
:param h: The parsed section header information.
.. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header

15
doc/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_POP3.consts.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

241
doc/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,241 @@
:tocdepth: 3
base/bif/plugins/Zeek_POP3.events.bif.zeek
==========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================= ===================================================================
:zeek:id:`pop3_data`: :zeek:type:`event` Generated for server-side multi-line responses on POP3 connections.
:zeek:id:`pop3_login_failure`: :zeek:type:`event` Generated for unsuccessful authentications on POP3 connections.
:zeek:id:`pop3_login_success`: :zeek:type:`event` Generated for successful authentications on POP3 connections.
:zeek:id:`pop3_reply`: :zeek:type:`event` Generated for server-side replies to commands on POP3 connections.
:zeek:id:`pop3_request`: :zeek:type:`event` Generated for client-side commands on POP3 connections.
:zeek:id:`pop3_starttls`: :zeek:type:`event` Generated when a POP3 connection goes encrypted.
:zeek:id:`pop3_unexpected`: :zeek:type:`event` Generated for errors encountered on POP3 sessions.
================================================= ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: pop3_data
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 76 76
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
Generated for server-side multi-line responses on POP3 connections. POP3
connections use multi-line responses to send bulk data, such as the actual
mails. This event is generated once for each line that's part of such a
response.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: True if the data was sent by the originator of the TCP connection.
:param data: The data sent.
.. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
pop3_unexpected
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_login_failure
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 168 168
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, password: :zeek:type:`string`)
Generated for unsuccessful authentications on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: Always false.
:param user: The user name attempted for authentication. The event is only
generated if a non-empty user name was used.
:param password: The password attempted for authentication.
.. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request
pop3_unexpected
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_login_success
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 144 144
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, password: :zeek:type:`string`)
Generated for successful authentications on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: Always false.
:param user: The user name used for authentication. The event is only generated if
a non-empty user name was used.
:param password: The password used for authentication.
.. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request
pop3_unexpected
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_reply
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 52 52
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, cmd: :zeek:type:`string`, msg: :zeek:type:`string`)
Generated for server-side replies to commands on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: True if the command was sent by the originator of the TCP
connection.
:param cmd: The success indicator sent by the server. This corresponds to the
first token on the line sent, and should be either ``OK`` or ``ERR``.
:param msg: The textual description the server sent along with *cmd*.
.. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_request
pop3_unexpected
.. todo:: This event is receiving odd parameters, should unify.
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_request
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 25 25
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, command: :zeek:type:`string`, arg: :zeek:type:`string`)
Generated for client-side commands on POP3 connections.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: True if the command was sent by the originator of the TCP
connection.
:param command: The command sent.
:param arg: The argument to the command.
.. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
pop3_unexpected
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_starttls
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 120 120
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated when a POP3 connection goes encrypted. While POP3 is by default a
clear-text protocol, extensions exist to switch to encryption. This event is
generated if that happens and the analyzer then stops processing the
connection.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
.. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
pop3_request pop3_unexpected
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.
.. zeek:id:: pop3_unexpected
:source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 100 100
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`, detail: :zeek:type:`string`)
Generated for errors encountered on POP3 sessions. If the POP3 analyzer
finds state transitions that do not conform to the protocol specification,
or other situations it can't handle, it raises this event.
See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
about the POP3 protocol.
:param c: The connection.
:param is_orig: True if the data was sent by the originator of the TCP connection.
:param msg: A textual description of the situation.
:param detail: The input that triggered the event.
.. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
.. todo:: Zeek's current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported. To still enable this event, one needs to
register a port for it or add a DPD payload signature.

37
doc/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek.rst Normal file
View file

@ -0,0 +1,37 @@
:tocdepth: 3
base/bif/plugins/Zeek_PPPoE.functions.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: PacketAnalyzer::PPPoE
:Namespaces: GLOBAL, PacketAnalyzer::PPPoE
Summary
~~~~~~~
Functions
#########
=================================================================== ===============================================================
:zeek:id:`PacketAnalyzer::PPPoE::session_id`: :zeek:type:`function` Returns the PPPoE Session ID of the current packet, if present.
=================================================================== ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: PacketAnalyzer::PPPoE::session_id
:source-code: base/bif/plugins/Zeek_PPPoE.functions.bif.zeek 15 15
:Type: :zeek:type:`function` () : :zeek:type:`count`
Returns the PPPoE Session ID of the current packet, if present.
If no PPPoE Session ID is present, 0xFFFFFFFF is returned, which
is out of range of the session ID.
:returns: The PPPoE session ID if present, 0xFFFFFFFF otherwise.

61
doc/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,61 @@
:tocdepth: 3
base/bif/plugins/Zeek_RADIUS.events.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ====================================
:zeek:id:`radius_attribute`: :zeek:type:`event` Generated for each RADIUS attribute.
:zeek:id:`radius_message`: :zeek:type:`event` Generated for RADIUS messages.
=============================================== ====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: radius_attribute
:source-code: base/bif/plugins/Zeek_RADIUS.events.bif.zeek 27 27
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, attr_type: :zeek:type:`count`, value: :zeek:type:`string`)
Generated for each RADIUS attribute.
See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
information about RADIUS.
:param c: The connection.
:param attr_type: The value of the code field (1 == User-Name, 2 == User-Password, etc.).
:param value: The data/value bound to the attribute.
.. zeek:id:: radius_message
:source-code: base/bif/plugins/Zeek_RADIUS.events.bif.zeek 13 13
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`RADIUS::Message`)
Generated for RADIUS messages.
See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
information about RADIUS.
:param c: The connection.
:param result: A record containing fields parsed from a RADIUS packet.

269
doc/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,269 @@
:tocdepth: 3
base/bif/plugins/Zeek_RDP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================= =================================================================================
:zeek:id:`rdp_begin_encryption`: :zeek:type:`event` Generated when an RDP session becomes encrypted.
:zeek:id:`rdp_client_cluster_data`: :zeek:type:`event` Generated for client cluster data packets.
:zeek:id:`rdp_client_core_data`: :zeek:type:`event` Generated for MCS client requests.
:zeek:id:`rdp_client_network_data`: :zeek:type:`event` Generated for Client Network Data (TS_UD_CS_NET) packets
:zeek:id:`rdp_client_security_data`: :zeek:type:`event` Generated for client security data packets.
:zeek:id:`rdp_connect_request`: :zeek:type:`event` Generated for X.224 client requests.
:zeek:id:`rdp_gcc_server_create_response`: :zeek:type:`event` Generated for MCS server responses.
:zeek:id:`rdp_native_encrypted_data`: :zeek:type:`event` Generated for each packet after RDP native encryption begins
:zeek:id:`rdp_negotiation_failure`: :zeek:type:`event` Generated for RDP Negotiation Failure messages.
:zeek:id:`rdp_negotiation_response`: :zeek:type:`event` Generated for RDP Negotiation Response messages.
:zeek:id:`rdp_server_certificate`: :zeek:type:`event` Generated for a server certificate section.
:zeek:id:`rdp_server_security`: :zeek:type:`event` Generated for MCS server responses.
:zeek:id:`rdpeudp_data`: :zeek:type:`event` Generated when for data messages exchanged after a RDPEUDP connection establishes
:zeek:id:`rdpeudp_established`: :zeek:type:`event` Generated when RDPEUDP connections are established (both sides SYN)
:zeek:id:`rdpeudp_syn`: :zeek:type:`event` Generated for RDPEUDP SYN UDP Datagram
:zeek:id:`rdpeudp_synack`: :zeek:type:`event` Generated for RDPEUDP SYNACK UDP Datagram
============================================================= =================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: rdp_begin_encryption
:source-code: base/protocols/rdp/main.zeek 259 269
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`)
Generated when an RDP session becomes encrypted.
:param c: The connection record for the underlying transport-layer session/flow.
:param security_protocol: The security protocol being used for the session.
.. zeek:id:: rdp_client_cluster_data
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 111 111
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientClusterData`)
Generated for client cluster data packets.
:param c: The connection record for the underlying transport-layer session/flow.
:param data: The data contained in the client security data structure.
.. zeek:id:: rdp_client_core_data
:source-code: base/protocols/rdp/main.zeek 187 213
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientCoreData`)
Generated for MCS client requests.
:param c: The connection record for the underlying transport-layer session/flow.
:param data: The data contained in the client core data structure.
.. zeek:id:: rdp_client_network_data
:source-code: base/protocols/rdp/main.zeek 215 228
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, channels: :zeek:type:`RDP::ClientChannelList`)
Generated for Client Network Data (TS_UD_CS_NET) packets
:param c: The connection record for the underlying transport-layer session/flow.
:param channels: The channels that were requested
.. zeek:id:: rdp_client_security_data
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 95 95
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientSecurityData`)
Generated for client security data packets.
:param c: The connection record for the underlying transport-layer session/flow.
:param data: The data contained in the client security data structure.
.. zeek:id:: rdp_connect_request
:source-code: base/protocols/rdp/main.zeek 166 171
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, cookie: :zeek:type:`string`, flags: :zeek:type:`count`)
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, cookie: :zeek:type:`string`)
Generated for X.224 client requests.
:param c: The connection record for the underlying transport-layer session/flow.
:param cookie: The cookie included in the request; empty if no cookie was provided.
:param flags: The flags set by the client.
.. zeek:id:: rdp_gcc_server_create_response
:source-code: base/protocols/rdp/main.zeek 230 235
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`count`)
Generated for MCS server responses.
:param c: The connection record for the underlying transport-layer session/flow.
:param result: The 8-bit integer representing the GCC Conference Create Response result.
.. zeek:id:: rdp_native_encrypted_data
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 43 43
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, len: :zeek:type:`count`)
Generated for each packet after RDP native encryption begins
:param c: The connection record for the underlying transport-layer session/flow.
:param orig: True if the packet was sent by the originator of the connection.
:param len: The length of the encrypted data.
.. zeek:id:: rdp_negotiation_failure
:source-code: base/protocols/rdp/main.zeek 180 185
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, failure_code: :zeek:type:`count`, flags: :zeek:type:`count`)
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, failure_code: :zeek:type:`count`)
Generated for RDP Negotiation Failure messages.
:param c: The connection record for the underlying transport-layer session/flow.
:param failure_code: The failure code sent by the server.
:param flags: The flags set by the server.
.. zeek:id:: rdp_negotiation_response
:source-code: base/protocols/rdp/main.zeek 173 178
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`, flags: :zeek:type:`count`)
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`)
Generated for RDP Negotiation Response messages.
:param c: The connection record for the underlying transport-layer session/flow.
:param security_protocol: The security protocol selected by the server.
:param flags: The flags set by the server.
.. zeek:id:: rdp_server_certificate
:source-code: base/protocols/rdp/main.zeek 245 257
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, cert_type: :zeek:type:`count`, permanently_issued: :zeek:type:`bool`)
Generated for a server certificate section. If multiple X.509
certificates are included in chain, this event will still
only be generated a single time.
:param c: The connection record for the underlying transport-layer session/flow.
:param cert_type: Indicates the type of certificate.
:param permanently_issued: Value will be true is the certificate(s) is permanent on the server.
.. zeek:id:: rdp_server_security
:source-code: base/protocols/rdp/main.zeek 237 243
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, encryption_method: :zeek:type:`count`, encryption_level: :zeek:type:`count`)
Generated for MCS server responses.
:param c: The connection record for the underlying transport-layer session/flow.
:param encryption_method: The 32-bit integer representing the encryption method used in the connection.
:param encryption_level: The 32-bit integer representing the encryption level used in the connection.
.. zeek:id:: rdpeudp_data
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 33 33
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, data: :zeek:type:`string`)
Generated when for data messages exchanged after a RDPEUDP connection establishes
:param c: The connection record for the underlying transport-layer session/flow.
:param is_orig: Whether the data was sent by the originator or responder of the connection.
:param version: Whether the connection is RDPEUDP1 or RDPEUDP2
:param data: The payload of the packet. This is probably very non-performant.
.. zeek:id:: rdpeudp_established
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 21 21
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`)
Generated when RDPEUDP connections are established (both sides SYN)
:param c: The connection record for the underlying transport-layer session/flow.
:param version: Whether the connection is RDPEUDP1 or RDPEUDP2
.. zeek:id:: rdpeudp_syn
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 7 7
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for RDPEUDP SYN UDP Datagram
:param c: The connection record for the underlying transport-layer session/flow.
.. zeek:id:: rdpeudp_synack
:source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 13 13
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for RDPEUDP SYNACK UDP Datagram
:param c: The connection record for the underlying transport-layer session/flow.

16
doc/scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_RDP.types.bif.zeek
========================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: RDP
:Namespaces: GLOBAL, RDP
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

112
doc/scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,112 @@
:tocdepth: 3
base/bif/plugins/Zeek_RFB.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================== ==========================================================
:zeek:id:`rfb_auth_result`: :zeek:type:`event` Generated for RFB event authentication result message
:zeek:id:`rfb_authentication_type`: :zeek:type:`event` Generated for RFB event authentication mechanism selection
:zeek:id:`rfb_client_version`: :zeek:type:`event` Generated for RFB event client banner message
:zeek:id:`rfb_server_parameters`: :zeek:type:`event` Generated for RFB event server parameter message
:zeek:id:`rfb_server_version`: :zeek:type:`event` Generated for RFB event server banner message
:zeek:id:`rfb_share_flag`: :zeek:type:`event` Generated for RFB event share flag messages
====================================================== ==========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: rfb_auth_result
:source-code: base/protocols/rfb/main.zeek 152 155
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`bool`)
Generated for RFB event authentication result message
:param c: The connection record for the underlying transport-layer session/flow.
:param result: whether or not authentication was successful
.. zeek:id:: rfb_authentication_type
:source-code: base/protocols/rfb/main.zeek 131 136
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, authtype: :zeek:type:`count`)
Generated for RFB event authentication mechanism selection
:param c: The connection record for the underlying transport-layer session/flow.
:param authtype: the value of the chosen authentication mechanism
.. zeek:id:: rfb_client_version
:source-code: base/protocols/rfb/main.zeek 117 122
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, major_version: :zeek:type:`string`, minor_version: :zeek:type:`string`)
Generated for RFB event client banner message
:param c: The connection record for the underlying transport-layer session/flow.
:param version: of the client's rfb library
.. zeek:id:: rfb_server_parameters
:source-code: base/bif/plugins/Zeek_RFB.events.bif.zeek 53 53
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, width: :zeek:type:`count`, height: :zeek:type:`count`)
Generated for RFB event server parameter message
:param c: The connection record for the underlying transport-layer session/flow.
:param name: name of the shared screen
:param width: width of the shared screen
:param height: height of the shared screen
.. zeek:id:: rfb_server_version
:source-code: base/protocols/rfb/main.zeek 124 129
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, major_version: :zeek:type:`string`, minor_version: :zeek:type:`string`)
Generated for RFB event server banner message
:param c: The connection record for the underlying transport-layer session/flow.
:param version: of the server's rfb library
.. zeek:id:: rfb_share_flag
:source-code: base/protocols/rfb/main.zeek 157 160
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, flag: :zeek:type:`bool`)
Generated for RFB event share flag messages
:param c: The connection record for the underlying transport-layer session/flow.
:param flag: whether or not the share flag was set

1320
doc/scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek.rst Normal file
View file

File diff suppressed because it is too large Load diff

16
doc/scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/bif/plugins/Zeek_RawReader.raw.bif.zeek
============================================
.. zeek:namespace:: GLOBAL
.. zeek:namespace:: InputRaw
:Namespaces: GLOBAL, InputRaw
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

163
doc/scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,163 @@
:tocdepth: 3
base/bif/plugins/Zeek_SIP.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ==========================================================================================================
:zeek:id:`sip_all_headers`: :zeek:type:`event` Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder.
:zeek:id:`sip_begin_entity`: :zeek:type:`event` Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message.
:zeek:id:`sip_end_entity`: :zeek:type:`event` Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message.
:zeek:id:`sip_header`: :zeek:type:`event` Generated for each :abbr:`SIP (Session Initiation Protocol)` header.
:zeek:id:`sip_reply`: :zeek:type:`event` Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP).
:zeek:id:`sip_request`: :zeek:type:`event` Generated for :abbr:`SIP (Session Initiation Protocol)` requests, used in Voice over IP (VoIP).
=============================================== ==========================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: sip_all_headers
:source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 71 71
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, hlist: :zeek:type:`mime_header_list`)
Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param is_orig: Whether the headers came from the originator.
:param hlist: All the headers, and their values
.. zeek:see:: sip_request sip_reply sip_header sip_begin_entity sip_end_entity
.. zeek:id:: sip_begin_entity
:source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 86 86
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message.
This event is generated as soon as a message's initial line has been parsed.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param is_orig: Whether the message came from the originator.
.. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_end_entity
.. zeek:id:: sip_end_entity
:source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 99 99
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param is_orig: Whether the message came from the originator.
.. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_begin_entity
.. zeek:id:: sip_header
:source-code: base/protocols/sip/main.zeek 193 273
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, value: :zeek:type:`string`)
Generated for each :abbr:`SIP (Session Initiation Protocol)` header.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param is_orig: Whether the header came from the originator.
:param name: Header name.
:param value: Header value.
.. zeek:see:: sip_request sip_reply sip_all_headers sip_begin_entity sip_end_entity
.. zeek:id:: sip_reply
:source-code: base/protocols/sip/main.zeek 181 191
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP).
This event is generated as soon as a reply's initial line has been parsed.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param version: The :abbr:`SIP (Session Initiation Protocol)` version in use.
:param code: The response code.
:param reason: Textual details for the response code.
.. zeek:see:: sip_request sip_header sip_all_headers sip_begin_entity sip_end_entity
.. zeek:id:: sip_request
:source-code: base/protocols/sip/main.zeek 170 179
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, method: :zeek:type:`string`, original_URI: :zeek:type:`string`, version: :zeek:type:`string`)
Generated for :abbr:`SIP (Session Initiation Protocol)` requests, used in Voice over IP (VoIP).
This event is generated as soon as a request's initial line has been parsed.
See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
:param c: The connection.
:param method: The :abbr:`SIP (Session Initiation Protocol)` method extracted from the request (e.g., ``REGISTER``, ``NOTIFY``).
:param original_URI: The unprocessed URI as specified in the request.
:param version: The version number specified in the request (e.g., ``2.0``).
.. zeek:see:: sip_reply sip_header sip_all_headers sip_begin_entity sip_end_entity

15
doc/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.consts.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

58
doc/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek.rst Normal file
View file

@ -0,0 +1,58 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.events.bif.zeek
=========================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================== ==========================================================================
:zeek:id:`smb_discarded_dce_rpc_analyzers`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)` when the number of
:abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
analyzers exceeds :zeek:see:`SMB::max_dce_rpc_analyzers`.
:zeek:id:`smb_pipe_connect_heuristic`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)` connections when a
named pipe has been detected heuristically.
============================================================== ==========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb_discarded_dce_rpc_analyzers
:source-code: base/protocols/dce-rpc/main.zeek 231 238
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for :abbr:`SMB (Server Message Block)` when the number of
:abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
analyzers exceeds :zeek:see:`SMB::max_dce_rpc_analyzers`.
Occurrence of this event may indicate traffic loss, traffic load-balancing
issues or abnormal SMB protocol usage.
:param c: The connection.
.. zeek:id:: smb_pipe_connect_heuristic
:source-code: base/protocols/smb/main.zeek 243 247
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Generated for :abbr:`SMB (Server Message Block)` connections when a
named pipe has been detected heuristically. The case when this comes
up is when the drive mapping isn't seen so the analyzer is not able
to determine whether to send the data to the files framework or to
the DCE_RPC analyzer. This heuristic can be tuned by adding or
removing "named pipe" names from the :zeek:see:`SMB::pipe_filenames`
const.
:param c: The connection.

67
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek.rst Normal file
View file

@ -0,0 +1,67 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek
===========================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================ ===========================================================================================
:zeek:id:`smb1_check_directory_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *check directory*.
:zeek:id:`smb1_check_directory_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *check directory*.
============================================================ ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_check_directory_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, directory_name: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *check directory*. This is used by the client to verify that
a specified path resolves to a valid directory on the server.
For more information, see MS-CIFS:2.2.4.17
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param directory_name: The directory name to check for existence.
.. zeek:see:: smb1_message smb1_check_directory_response
.. zeek:id:: smb1_check_directory_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek 31 31
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *check directory*. This is the server response to the
*check directory* request.
For more information, see MS-CIFS:2.2.4.17
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
.. zeek:see:: smb1_message smb1_check_directory_request

46
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek.rst Normal file
View file

@ -0,0 +1,46 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek
=================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================= ===========================================================================================
:zeek:id:`smb1_close_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *close*.
================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_close_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *close*. This is used by the client to close an instance of an object
associated with a valid file ID.
For more information, see MS-CIFS:2.2.4.5
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param file_id: The file identifier being closed.
.. zeek:see:: smb1_message

69
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek.rst Normal file
View file

@ -0,0 +1,69 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek
============================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================= ===========================================================================================
:zeek:id:`smb1_create_directory_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *create directory*.
:zeek:id:`smb1_create_directory_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *create directory*.
============================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_create_directory_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek 18 18
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, directory_name: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *create directory*. This is a deprecated command which
has been replaced by the *trans2_create_directory* subcommand. This is used by the client to
create a new directory on the server, relative to a connected share.
For more information, see MS-CIFS:2.2.4.1
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param directory_name: The name of the directory to create.
.. zeek:see:: smb1_message smb1_create_directory_response smb1_transaction2_request
.. zeek:id:: smb1_create_directory_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek 33 33
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *create directory*. This is a deprecated command which
has been replaced by the *trans2_create_directory* subcommand. This is the server response
to the *create directory* request.
For more information, see MS-CIFS:2.2.4.1
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
.. zeek:see:: smb1_message smb1_create_directory_request smb1_transaction2_request

75
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek.rst Normal file
View file

@ -0,0 +1,75 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================= ===========================================================================================
:zeek:id:`smb1_echo_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *echo*.
:zeek:id:`smb1_echo_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *echo*.
================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_echo_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek 19 19
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, echo_count: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *echo*. This is sent by the client to test the transport layer
connection with the server.
For more information, see MS-CIFS:2.2.4.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param echo_count: The number of times the server should echo the data back.
:param data: The data for the server to echo.
.. zeek:see:: smb1_message smb1_echo_response
.. zeek:id:: smb1_echo_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek 36 36
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, seq_num: :zeek:type:`count`, data: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *echo*. This is the server response to the *echo* request.
For more information, see MS-CIFS:2.2.4.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param seq_num: The sequence number of this echo reply.
:param data: The data echoed back from the client.
.. zeek:see:: smb1_message smb1_echo_request

45
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek.rst Normal file
View file

@ -0,0 +1,45 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek
=======================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================== ===========================================================================================
:zeek:id:`smb1_logoff_andx`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *logoff andx*.
=============================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_logoff_andx
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *logoff andx*. This is used by the client to logoff the user
connection represented by UID in the SMB Header. The server releases all locks and closes
all files currently open by this user, disconnects all tree connects, cancels any outstanding
requests for this UID, and invalidates the UID.
For more information, see MS-CIFS:2.2.4.54
:param c: The connection.
:param is_orig: Indicates which host sent the logoff message.
.. zeek:see:: smb1_message

71
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek.rst Normal file
View file

@ -0,0 +1,71 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek
=====================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================== ===========================================================================================
:zeek:id:`smb1_negotiate_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *negotiate*.
:zeek:id:`smb1_negotiate_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *negotiate*.
====================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_negotiate_request
:source-code: base/protocols/smb/smb1-main.zeek 77 80
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, dialects: :zeek:type:`string_vec`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *negotiate*. This is sent by the client to initiate an SMB
connection between the client and the server. A *negotiate* exchange MUST be completed
before any other SMB messages are sent to the server.
For more information, see MS-CIFS:2.2.4.52
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param dialects: The SMB dialects supported by the client.
.. zeek:see:: smb1_message smb1_negotiate_response
.. zeek:id:: smb1_negotiate_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek 34 34
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, response: :zeek:type:`SMB1::NegotiateResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *negotiate*. This is the server response to the *negotiate*
request.
For more information, see MS-CIFS:2.2.4.52
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param response: A record structure containing more information from the response.
.. zeek:see:: smb1_message smb1_negotiate_request

43
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek
=====================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
===================================================== ===========================================================================================
:zeek:id:`smb1_nt_cancel_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt cancel*.
===================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_nt_cancel_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek 15 15
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt cancel*. This is sent by the client to request that a currently
pending request be cancelled.
For more information, see MS-CIFS:2.2.4.65
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
.. zeek:see:: smb1_message

77
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek.rst Normal file
View file

@ -0,0 +1,77 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek
==========================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=========================================================== ===========================================================================================
:zeek:id:`smb1_nt_create_andx_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt create andx*.
:zeek:id:`smb1_nt_create_andx_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *nt create andx*.
=========================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_nt_create_andx_request
:source-code: base/protocols/smb/smb1-main.zeek 137 146
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_name: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *nt create andx*. This is sent by the client to create and open
a new file, or to open an existing file, or to open and truncate an existing file to zero
length, or to create a directory, or to create a connection to a named pipe.
For more information, see MS-CIFS:2.2.4.64
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param name: The ``name`` attribute specified in the message.
.. zeek:see:: smb1_message smb1_nt_create_andx_response
.. zeek:id:: smb1_nt_create_andx_response
:source-code: base/protocols/smb/smb1-main.zeek 148 165
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`, file_size: :zeek:type:`count`, times: :zeek:type:`SMB::MACTimes`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *nt create andx*. This is the server response to the
*nt create andx* request.
For more information, see MS-CIFS:2.2.4.64
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param file_id: The SMB2 GUID for the file.
:param file_size: Size of the file.
:param times: Timestamps associated with the file in question.
.. zeek:see:: smb1_message smb1_nt_create_andx_request

47
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek.rst Normal file
View file

@ -0,0 +1,47 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek
=============================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================= ===========================================================================================
:zeek:id:`smb1_query_information_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *query information*.
============================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_query_information_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek 18 18
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, filename: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *query information*. This is a deprecated command which
has been replaced by the *trans2_query_path_information* subcommand. This is used by the
client to obtain attribute information about a file.
For more information, see MS-CIFS:2.2.4.9
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param filename: The filename that the client is querying.
.. zeek:see:: smb1_message smb1_transaction2_request

76
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek.rst Normal file
View file

@ -0,0 +1,76 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek
=====================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================== ===========================================================================================
:zeek:id:`smb1_read_andx_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *read andx*.
:zeek:id:`smb1_read_andx_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *read andx*.
====================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_read_andx_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek 22 22
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`, offset: :zeek:type:`count`, length: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *read andx*. This is sent by the client to read bytes from a regular
file, a named pipe, or a directly accessible device such as a serial port (COM) or printer
port (LPT).
For more information, see MS-CIFS:2.2.4.42
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param file_id: The file identifier being written to.
:param offset: The byte offset the requested read begins at.
:param length: The number of bytes being requested.
.. zeek:see:: smb1_message smb1_read_andx_response
.. zeek:id:: smb1_read_andx_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek 37 37
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, data_len: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *read andx*. This is the server response to the *read andx* request.
For more information, see MS-CIFS:2.2.4.42
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param data_len: The length of data from the requested file.
.. zeek:see:: smb1_message smb1_read_andx_request

68
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek.rst Normal file
View file

@ -0,0 +1,68 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek
==============================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=============================================================== ===========================================================================================
:zeek:id:`smb1_session_setup_andx_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *setup andx*.
:zeek:id:`smb1_session_setup_andx_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *setup andx*.
=============================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_session_setup_andx_request
:source-code: base/protocols/smb/smb1-main.zeek 252 253
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, request: :zeek:type:`SMB1::SessionSetupAndXRequest`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *setup andx*. This is sent by the client to configure an SMB session.
For more information, see MS-CIFS:2.2.4.53
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param request: The parsed request data of the SMB message. See init-bare for more details.
.. zeek:see:: smb1_message smb1_session_setup_andx_response
.. zeek:id:: smb1_session_setup_andx_response
:source-code: base/protocols/smb/smb1-main.zeek 257 258
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, response: :zeek:type:`SMB1::SessionSetupAndXResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *setup andx*. This is the server response to the *setup andx* request.
For more information, see MS-CIFS:2.2.4.53
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param response: The parsed response data of the SMB message. See init-bare for more details.
.. zeek:see:: smb1_message smb1_session_setup_andx_request

83
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek.rst Normal file
View file

@ -0,0 +1,83 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek
=======================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================== ===========================================================================================
:zeek:id:`smb1_transaction_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction*.
:zeek:id:`smb1_transaction_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction*.
======================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_transaction_request
:source-code: base/protocols/smb/smb1-main.zeek 262 265
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, name: :zeek:type:`string`, sub_cmd: :zeek:type:`count`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction*. This command serves as the transport for the
Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
which are interprocess communication endpoints within the CIFS file system.
For more information, see MS-CIFS:2.2.4.33.1
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param name: A name string that MAY identify the resource (a specific Mailslot or Named Pipe)
against which the operation is performed.
:param sub_cmd: The sub command, some may be parsed and have their own events.
:param parameters: content of the SMB_Data.Trans_Parameters field
:param data: content of the SMB_Data.Trans_Data field
.. zeek:see:: smb1_message smb1_transaction2_request
.. zeek:id:: smb1_transaction_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek 42 42
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction*. This command serves as the transport for the
Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
which are interprocess communication endpoints within the CIFS file system.
For more information, see MS-CIFS:2.2.4.33.2
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param parameters: content of the SMB_Data.Trans_Parameters field
:param data: content of the SMB_Data.Trans_Data field

126
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek.rst Normal file
View file

@ -0,0 +1,126 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek
========================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=================================================================== ===========================================================================================
:zeek:id:`smb1_trans2_find_first2_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *find first2*.
:zeek:id:`smb1_trans2_get_dfs_referral_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *get DFS referral*.
:zeek:id:`smb1_trans2_query_path_info_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *query path info*.
:zeek:id:`smb1_transaction2_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction2*.
=================================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_trans2_find_first2_request
:source-code: base/protocols/smb/smb1-main.zeek 247 250
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Find_First2_Request_Args`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin
a search for file(s) within a directory or for a directory
For more information, see MS-CIFS:2.2.6.2
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param args: A record data structure with arguments given to the command.
.. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request
smb1_trans2_get_dfs_referral_request
.. zeek:id:: smb1_trans2_get_dfs_referral_request
:source-code: base/protocols/smb/smb1-main.zeek 237 240
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_name: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *get DFS referral*. This transaction is used
to request a referral for a disk object in DFS.
For more information, see MS-CIFS:2.2.6.16
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param file_name: File name the request is in reference to.
.. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
smb1_trans2_query_path_info_request
.. zeek:id:: smb1_trans2_query_path_info_request
:source-code: base/protocols/smb/smb1-main.zeek 242 245
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_name: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 *transaction2* requests of subtype *query path info*. This transaction is used to
get information about a specific file or directory.
For more information, see MS-CIFS:2.2.6.6
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param file_name: File name the request is in reference to.
.. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
smb1_trans2_get_dfs_referral_request
.. zeek:id:: smb1_transaction2_request
:source-code: base/protocols/smb/smb1-main.zeek 71 74
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Trans2_Args`, sub_cmd: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction2*. This command serves as the transport for the
Transaction2 Subprotocol Commands. These commands operate on mailslots and named pipes,
which are interprocess communication endpoints within the CIFS file system. Compared to the
Transaction Subprotocol Commands, these commands allow clients to set and retrieve Extended
Attribute key/value pairs, make use of long file names (longer than the original 8.3 format
names), and perform directory searches, among other tasks.
For more information, see MS-CIFS:2.2.4.46
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param sub_cmd: The sub command, some are parsed and have their own events.
.. zeek:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request
smb1_trans2_get_dfs_referral_request smb1_transaction_request

50
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek.rst Normal file
View file

@ -0,0 +1,50 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek
==================================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================================== ===========================================================================================
:zeek:id:`smb1_transaction2_secondary_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction2 secondary*.
================================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_transaction2_secondary_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek 19 19
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Trans2_Sec_Args`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction2 secondary*.
For more information, see MS-CIFS:2.2.4.47.1
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)`
version 1 message.
:param args: arguments of the message (SMB_Parameters.Words)
:param parameters: content of the SMB_Data.Trans_Parameters field
:param data: content of the SMB_Data.Trans_Data field

49
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek.rst Normal file
View file

@ -0,0 +1,49 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek
=================================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================================= ===========================================================================================
:zeek:id:`smb1_transaction_secondary_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction_secondary*.
================================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_transaction_secondary_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek 19 19
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Trans_Sec_Args`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *transaction_secondary*. This command
serves as an additional request data container for the
Transaction Subprotocol Commands (carried by *transaction* requests).
For more information, see MS-CIFS:2.2.4.34
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param parameters: the SMB_Data.Trans_Parameters field content
:param data: the SMB_Data.Trans_Data field content

76
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek.rst Normal file
View file

@ -0,0 +1,76 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek
=============================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================== ===========================================================================================
:zeek:id:`smb1_tree_connect_andx_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *tree connect andx*.
:zeek:id:`smb1_tree_connect_andx_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *tree connect andx*.
============================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_tree_connect_andx_request
:source-code: base/protocols/smb/smb1-main.zeek 100 106
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, path: :zeek:type:`string`, service: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *tree connect andx*. This is sent by the client to establish a
connection to a server share.
For more information, see MS-CIFS:2.2.4.55
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param path: The ``path`` attribute specified in the message.
:param service: The ``service`` attribute specified in the message.
.. zeek:see:: smb1_message smb1_tree_connect_andx_response
.. zeek:id:: smb1_tree_connect_andx_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek 37 37
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, service: :zeek:type:`string`, native_file_system: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *tree connect andx*. This is the server reply to the *tree connect andx*
request.
For more information, see MS-CIFS:2.2.4.55
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param service: The ``service`` attribute specified in the message.
:param native_file_system: The file system of the remote server as indicate by the server.
.. zeek:see:: smb1_message smb1_tree_connect_andx_request

46
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek.rst Normal file
View file

@ -0,0 +1,46 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek
===========================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=================================================== ===========================================================================================
:zeek:id:`smb1_tree_disconnect`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *tree disconnect*.
=================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_tree_disconnect
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, is_orig: :zeek:type:`bool`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *tree disconnect*. This is sent by the client to logically disconnect
client access to a server resource.
For more information, see MS-CIFS:2.2.4.51
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param is_orig: True if the message was from the originator.
.. zeek:see:: smb1_message

74
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek.rst Normal file
View file

@ -0,0 +1,74 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek
======================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================= ===========================================================================================
:zeek:id:`smb1_write_andx_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *write andx*.
:zeek:id:`smb1_write_andx_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *write andx*.
======================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_write_andx_request
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek 20 20
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`, offset: :zeek:type:`count`, data_len: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 requests of type *write andx*. This is sent by the client to write bytes to a
regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM)
or printer port (LPT).
For more information, see MS-CIFS:2.2.4.43
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param offset: The byte offset into the referenced file data is being written.
:param data: The data being written.
.. zeek:see:: smb1_message smb1_write_andx_response
.. zeek:id:: smb1_write_andx_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek 36 36
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, written_bytes: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 1 responses of type *write andx*. This is the server response to the *write andx*
request.
For more information, see MS-CIFS:2.2.4.43
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param written_bytes: The number of bytes the server reported having actually written.
.. zeek:see:: smb1_message smb1_write_andx_request

89
doc/scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek.rst Normal file
View file

@ -0,0 +1,89 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek
==============================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================== =========================================================================================================
:zeek:id:`smb1_empty_response`: :zeek:type:`event` Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body.
:zeek:id:`smb1_error`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)` version 1 messages
that indicate an error.
:zeek:id:`smb1_message`: :zeek:type:`event` Generated for all :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` version 1
messages.
================================================== =========================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb1_empty_response
:source-code: base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek 31 31
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body.
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message.
.. zeek:see:: smb1_message
.. zeek:id:: smb1_error
:source-code: policy/protocols/smb/log-cmds.zeek 49 64
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, is_orig: :zeek:type:`bool`)
Generated for :abbr:`SMB (Server Message Block)` version 1 messages
that indicate an error. This event is triggered by an :abbr:`SMB (Server Message Block)` header
including a status that signals an error.
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message.
:param is_orig: True if the message was sent by the originator of the underlying
transport-level connection.
.. zeek:see:: smb1_message
.. zeek:id:: smb1_message
:source-code: base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek 21 21
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, is_orig: :zeek:type:`bool`)
Generated for all :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` version 1
messages.
See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
:abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
:abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
:param is_orig: True if the message was sent by the originator of the underlying
transport-level connection.
.. zeek:see:: smb2_message

70
doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek.rst Normal file
View file

@ -0,0 +1,70 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek
=================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================== ===========================================================================================
:zeek:id:`smb2_close_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *close*.
:zeek:id:`smb2_close_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *close*.
================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb2_close_request
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek 17 17
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *close*. This is used by the client to close an instance of a
file that was opened previously with a successful SMB2 CREATE Request.
For more information, see MS-SMB2:2.2.15
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_name: The SMB2 GUID of the file being closed.
.. zeek:see:: smb2_message smb2_close_response
.. zeek:id:: smb2_close_response
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek 33 33
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::CloseResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *close*. This is sent by the server to indicate that an SMB2 CLOSE
request was processed successfully.
For more information, see MS-SMB2:2.2.16
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param response: A record of attributes returned from the server from the close.
.. zeek:see:: smb2_message smb2_close_request

70
doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek.rst Normal file
View file

@ -0,0 +1,70 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek
==================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
=================================================== ===========================================================================================
:zeek:id:`smb2_create_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *create*.
:zeek:id:`smb2_create_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *create*.
=================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb2_create_request
:source-code: base/protocols/smb/smb2-main.zeek 129 152
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, request: :zeek:type:`SMB2::CreateRequest`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *create*. This is sent by the client to request either creation
of or access to a file.
For more information, see MS-SMB2:2.2.13
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param request: A record with more information related to the request.
.. zeek:see:: smb2_message smb2_create_response
.. zeek:id:: smb2_create_response
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek 33 33
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::CreateResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *create*. This is sent by the server to notify the client of
the status of its SMB2 CREATE request.
For more information, see MS-SMB2:2.2.14
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param response: A record with more information related to the response.
.. zeek:see:: smb2_message smb2_create_request

70
doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek.rst Normal file
View file

@ -0,0 +1,70 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek
=====================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
====================================================== ===========================================================================================
:zeek:id:`smb2_negotiate_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *negotiate*.
:zeek:id:`smb2_negotiate_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *negotiate*.
====================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb2_negotiate_request
:source-code: base/protocols/smb/smb2-main.zeek 83 86
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, dialects: :zeek:type:`index_vec`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *negotiate*. This is used by the client to notify the server what
dialects of the SMB2 Protocol the client understands.
For more information, see MS-SMB2:2.2.3
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param dialects: A vector of the client's supported dialects.
.. zeek:see:: smb2_message smb2_negotiate_response
.. zeek:id:: smb2_negotiate_response
:source-code: base/protocols/smb/smb2-main.zeek 88 102
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::NegotiateResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *negotiate*. This is sent by the server to notify the client of
the preferred common dialect.
For more information, see MS-SMB2:2.2.4
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param response: The negotiate response data structure.
.. zeek:see:: smb2_message smb2_negotiate_request

52
doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek.rst Normal file
View file

@ -0,0 +1,52 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek
================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================ ===========================================================================================
:zeek:id:`smb2_read_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *read*.
================================================ ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb2_read_request
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek 21 21
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, offset: :zeek:type:`count`, length: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *read*. This is sent by the client to request a read operation on
the specified file.
For more information, see MS-SMB2:2.2.19
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The GUID being used for the file.
:param offset: How far into the file this read should be taking place.
:param length: The number of bytes of the file being read.
.. zeek:see:: smb2_message

71
doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek.rst Normal file
View file

@ -0,0 +1,71 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek
=========================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================== ===========================================================================================
:zeek:id:`smb2_session_setup_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *session_setup*.
:zeek:id:`smb2_session_setup_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *session_setup*.
========================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb2_session_setup_request
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek 18 18
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, request: :zeek:type:`SMB2::SessionSetupRequest`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *session_setup*. This is sent by the client to request a new
authenticated session within a new or existing SMB 2 Protocol transport connection to the
server.
For more information, see MS-SMB2:2.2.5
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param request: A record containing more information related to the request.
.. zeek:see:: smb2_message smb2_session_setup_response
.. zeek:id:: smb2_session_setup_response
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek 34 34
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::SessionSetupResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *session_setup*. This is sent by the server in response to a
*session_setup* request.
For more information, see MS-SMB2:2.2.6
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param response: A record containing more information related to the response.
.. zeek:see:: smb2_message smb2_session_setup_request

399
doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek.rst Normal file
View file

@ -0,0 +1,399 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek
====================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
======================================================== ===========================================================================================
:zeek:id:`smb2_file_allocation`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *allocation* subtype
:zeek:id:`smb2_file_delete`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *delete* subtype.
:zeek:id:`smb2_file_endoffile`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *end_of_file* subtype
:zeek:id:`smb2_file_fscontrol`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *fs_control* subtype
:zeek:id:`smb2_file_fsobjectid`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *fs_object_id* subtype
:zeek:id:`smb2_file_fullea`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *full_EA* subtype
:zeek:id:`smb2_file_link`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *link* subtype
:zeek:id:`smb2_file_mode`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *mode* subtype
:zeek:id:`smb2_file_pipe`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *pipe* subtype
:zeek:id:`smb2_file_position`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *position* subtype
:zeek:id:`smb2_file_rename`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *rename* subtype.
:zeek:id:`smb2_file_sattr`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *file* subtype
:zeek:id:`smb2_file_shortname`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *short_name* subtype
:zeek:id:`smb2_file_validdatalength`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *valid_data_length* subtype
======================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb2_file_allocation
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 75 75
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, alloc_size: :zeek:type:`int`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *allocation* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param alloc_size: desired allocation size.
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_delete
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 38 38
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, delete_pending: :zeek:type:`bool`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *delete* subtype.
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param delete_pending: A boolean value to indicate that a file should be deleted
when it's closed if set to T.
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_endoffile
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 92 92
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, end_of_file: :zeek:type:`int`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *end_of_file* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param end_of_file: the absolute new end of file position as a byte offset from the start of the file
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_fscontrol
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 235 235
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, fs_control: :zeek:type:`SMB2::Fscontrol`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *fs_control* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param fs_control: contains fs_control info (see MS-FCC 2.5.2)
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_fsobjectid
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 254 254
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, object_id: :zeek:type:`SMB2::GUID`, extended_info: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *fs_object_id* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param object_id: contains a 16-bytes GUID that identifies the file system volume (see MS-FCC 2.5.6)
:param extended_info: contains extended information on the file system volume
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link
.. zeek:id:: smb2_file_fullea
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 199 199
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, file_eas: :zeek:type:`SMB2::FileEAs`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *full_EA* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param FileEAs: a vector of extended file attributes as defined in MS-FSCC:2.4.15
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_link
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 218 218
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, root_directory: :zeek:type:`count`, file_name: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *link* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param root_directory: contains the file handle for the directory where the link is to be created
:param file_name: contains the name to be assigned to the newly created link
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_mode
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 110 110
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, mode: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *mode* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param mode: specifies how the file will subsequently be accessed.
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_pipe
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 130 130
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, read_mode: :zeek:type:`count`, completion_mode: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *pipe* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param read_mode: specifies if data must be read as a stream of bytes or messages
:param completion_mode: specifies if blocking mode must be enabled or not
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_position
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 148 148
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, current_byte_offset: :zeek:type:`int`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *position* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param current_byte_offset: specifies the offset, in bytes, of the file pointer from the beginning of the file
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_rename
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 19 19
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, dst_filename: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *rename* subtype.
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: A GUID to identify the file.
:param dst_filename: The filename to rename the file into.
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_sattr
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 58 58
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, times: :zeek:type:`SMB::MACTimes`, attrs: :zeek:type:`SMB2::FileAttrs`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *file* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param times: Timestamps associated with the file in question.
:param attrs: File attributes.
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_shortname
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 165 165
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, file_name: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *short_name* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param file_name: specifies the name of the file to be changed
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
.. zeek:id:: smb2_file_validdatalength
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 182 182
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, valid_data_length: :zeek:type:`int`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *set_info* of the *valid_data_length* subtype
For more information, see MS-SMB2:2.2.39
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The SMB2 GUID for the file.
:param valid_data_length: specifies the new valid data length for the file
.. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid

43
doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek
============================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
==================================================== ===========================================================================================
:zeek:id:`smb2_transform_header`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 3.x *transform_header*.
==================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb2_transform_header
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek 15 15
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Transform_header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 3.x *transform_header*. This is used by the client or server when sending
encrypted messages.
For more information, see MS-SMB2:2.2.41
:param c: The connection.
:param hdr: The parsed transformed header message, which is starting with \xfdSMB and different from SMB1 and SMB2 headers.
.. zeek:see:: smb2_message

70
doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek.rst Normal file
View file

@ -0,0 +1,70 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek
========================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
========================================================= ===========================================================================================
:zeek:id:`smb2_tree_connect_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *tree_connect*.
:zeek:id:`smb2_tree_connect_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *tree_connect*.
========================================================= ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb2_tree_connect_request
:source-code: base/protocols/smb/smb2-main.zeek 104 107
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, path: :zeek:type:`string`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *tree_connect*. This is sent by a client to request access to a
particular share on the server.
For more information, see MS-SMB2:2.2.9
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param path: Path of the requested tree.
.. zeek:see:: smb2_message smb2_tree_connect_response
.. zeek:id:: smb2_tree_connect_response
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek 33 33
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::TreeConnectResponse`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 responses of type *tree_connect*. This is sent by the server when a *tree_connect*
request is successfully processed by the server.
For more information, see MS-SMB2:2.2.10
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param response: A record with more information related to the response.
.. zeek:see:: smb2_message smb2_tree_connect_request

60
doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek.rst Normal file
View file

@ -0,0 +1,60 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek
===========================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
============================================================ ===========================================================================================
:zeek:id:`smb2_tree_disconnect_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *tree disconnect*.
:zeek:id:`smb2_tree_disconnect_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *tree disconnect*.
============================================================ ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb2_tree_disconnect_request
:source-code: base/protocols/smb/smb2-main.zeek 119 127
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *tree disconnect*. This is sent by the client to logically disconnect
client access to a server resource.
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
.. zeek:see:: smb2_message
.. zeek:id:: smb2_tree_disconnect_response
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek 26 26
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *tree disconnect*. This is sent by the server to logically disconnect
client access to a server resource.
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
.. zeek:see:: smb2_message

76
doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek.rst Normal file
View file

@ -0,0 +1,76 @@
:tocdepth: 3
base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek
=================================================
.. zeek:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================== ===========================================================================================
:zeek:id:`smb2_write_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *write*.
:zeek:id:`smb2_write_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *write*.
================================================== ===========================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: smb2_write_request
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek 21 21
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, offset: :zeek:type:`count`, length: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *write*. This is sent by the client to write data to the file or
named pipe on the server.
For more information, see MS-SMB2:2.2.21
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param file_id: The GUID being used for the file.
:param offset: How far into the file this write should be taking place.
:param length: The number of bytes of the file being written.
.. zeek:see:: smb2_message
.. zeek:id:: smb2_write_response
:source-code: base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek 37 37
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, length: :zeek:type:`count`)
Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
version 2 requests of type *write*. This is sent by the server in response to a write request or
named pipe on the server.
For more information, see MS-SMB2:2.2.22
:param c: The connection.
:param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
:param length: The number of bytes of the file being written.
.. zeek:see:: smb2_message

Some files were not shown because too many files have changed in this diff Show more