##! The events that the C/C++ core of Bro can generate. This is mostly ##! consisting of high-level network events that protocol analyzers detect, ##! but there are also several general-utility events generated by internal ##! Bro frameworks. # # Documentation conventions: # # - Use past tense for activity that has already occured. # # - List parameters with an empty line in between. # # - Within the description, reference other parameters of the same events # as *arg*. # # - Order: # # - Short initial sentence (which doesn't need to be a sentence), # starting with "Generated ..." # # - Description # # - Parameters # # - .. bro:see:: # # - .. note:: # # - .. todo:: ## Generated at Bro initialization time. The event engine generates this ## event just before normal input processing begins. It can be used to execute ## one-time initialization code at startup. At the time a handler runs, Bro will ## have executed any global initializations and statements. ## ## .. bro:see:: bro_done ## ## .. note:: ## ## When a ``bro_init`` handler executes, Bro has not yet seen any input packets ## and therefore :bro:id:`network_time` is not initialized yet. An artifact ## of that is that any timer installed in a ``bro_init`` handler will fire ## immediately with the first packet. The standard way to work around that is to ## ignore the first time the timer fires and immediately reschedule. ## event bro_init%(%); ## Generated at Bro termination time. The event engine generates this event when ## Bro is about to terminate, either due to having exhausted reading its input ## trace file(s), receiving a termination signal, or because Bro was run without ## a network input source and has finished executing any global statements. ## ## .. bro:see:: bro_init ## ## .. note:: ## ## If Bro terminates due to an invocation of :bro:id:`exit`, then this event is ## not generated. event bro_done%(%); ## Generated when an internal DNS lookup reduces the same result as last time. ## Bro keeps an internal DNS cache for host names and IP addresses it has ## already resolved. This event is generated when subsequent lookup returns ## the same result as stored in the cache. ## ## dm: A record describing the new resolver result (which matches the old one). ## ## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified event dns_mapping_valid%(dm: dns_mapping%); ## Generated when an internal DNS lookup got no answer even though it had succeeded he ## past. Bro keeps an internal DNS cache for host names and IP addresses it has ## already resolved. This event is generated when a subsequent lookup does not ## produce an answer even though we have already stored a result in the cache. ## ## dm: A record describing the old resolver result. ## ## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_valid event dns_mapping_unverified%(dm: dns_mapping%); ## Generated when an internal DNS lookup succeeed but an earlier attempt not. had ## had succeeded he past. Bro keeps an internal DNS cache for host names and IP ## addresses it has already resolved. This event is generated when a subsequent ## lookup produces an answer for a query that was marked as failed in the cache. ## ## dm: A record describing the new resolver result. ## ## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_new_name%(dm: dns_mapping%); ## Generated when an internal DNS lookup returned zero answers even though it ## had succeeded he past. Bro keeps an internal DNS cache for host names and IP ## addresses it has already resolved. This event is generated when for a subsequent ## lookup we received answer that however was empty even though we have ## already stored a result in the cache. ## ## dm: A record describing the old resolver result. ## ## .. bro:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_lost_name%(dm: dns_mapping%); ## Generated when an internal DNS lookup produced a different result than in ## past. Bro keeps an internal DNS cache for host names and IP addresses it has ## already resolved. This event is generated when a subsequent lookup returns ## a different answer than we have stored in the cache. ## ## dm: A record describing the new resolver result. ## ## old_addrs: Addresses that used to be part of the returned set for the query ## described by *dm*, but are not anymore. ## ## new_addrs: Addresses that did not use to be part of the returned set for the ## query described by *dm*, but now are. ## ## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); ## Generated for every new connection. The event is raised with the first packet ## of a previously unknown connection. Bro uses a flow-based definition of ## "connection" here that includes not only TCP sessions but also UDP and ICMP ## flows. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout ## expected_connection_seen new_connection_contents partial_connection ## ## .. note:: ## ## Handling this event is potentially expensive. For example, during a SYN ## flooding attack, every spoofed SYN packet will lead to a new ## event. event new_connection%(c: connection%); ## Generated when reassembly starts for a TCP connection. The event is raised ## at the moment when Bro's TCP analyzer enables stream reassembly for a ## connection. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout ## expected_connection_seen new_connection partial_connection event new_connection_contents%(c: connection%); ## Generated for an unsuccessful connection attempt. The event is raised when an ## originator unsuccessfully attempted to establish a connection. "Unsuccessful" ## is defined as at least :bro:id:`tcp_attempt_delay` seconds having elapsed since ## the originator first sent a connection establishment packet to the destination ## without seeing a reply. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_established ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection event connection_attempt%(c: connection%); ## Generated for an established TCP connection. The event is raised when the ## initial 3-way TCP handshake has successfully finished for a connection. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection event connection_established%(c: connection%); ## Generated for a new active TCP connection if Bro did not see the initial ## handshake. The event is raised when Bro has observed traffic from each endpoint, ## but the activity did not begin with the usual connection establishment. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout ## expected_connection_seen new_connection new_connection_contents ## event partial_connection%(c: connection%); ## Generated when a previously inactive endpoint attempts to close a TCP connection ## via a normal FIN handshake or an abort RST sequence. When the endpoint sent ## one of these packets, Bro waits :bro:id:`tcp_partial_close_delay` prior ## to generating the event, to give the other endpoint a chance to close the ## connection normally. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection event connection_partial_close%(c: connection%); ## Generated for a TCP connection that finished normally. The event is raised ## when a regular FIN handshake from both endpoints was observed. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection event connection_finished%(c: connection%); ## Generated when one endpoint of a TCP connection attempted to gracefully close ## the connection, but the other endpoint is in the TCP_INACTIVE state. This can ## happen due to split routing, in which Bro only sees one side of a connection. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection event connection_half_finished%(c: connection%); ## Generated for a rejected TCP connection. The event is raised when an originator ## attempted to setup a TCP connection but the responder replied with a RST packet ## denying it. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection ## ## c: The connection. ## ## .. note:: ## ## If the responder does not respond at all, :bro:id:`connection_attempt` is ## raised instead. If the responder initially accepts the connection but aborts ## it later, Bro first generates :bro:id:`connection_established` and then ## :bro:id:`connection_reset`. event connection_rejected%(c: connection%); ## Generated when an endpoint aborted a TCP connection. The event is raised ## when one endpoint of an established TCP connection aborted by sending a RST ## packet. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reused ## connection_state_remove connection_status_update connection_timeout ## expected_connection_seen new_connection new_connection_contents ## partial_connection event connection_reset%(c: connection%); ## Generated for each still-open connection when Bro terminates. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_rejected connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection bro_done event connection_pending%(c: connection%); ## Generated when a connection's internal state is about to be removed from ## memory. Bro generates this event reliably once for every connection when it ## is about to delete the internal state. As such, the event is well-suited for ## scrip-level cleanup that needs to be performed for every connection. The ## ``connection_state_remove`` event is generated not only for TCP sessions but ## also for UDP and ICMP flows. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection udp_inactivity_timeout ## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats event connection_state_remove%(c: connection%); ## Generated for a SYN packet. Bro raises this event for every SYN packet seen by ## its TCP analyzer. ## ## c: The connection. ## ## pkt: Information extracted from the SYN packet. ## ## .. bro:see:: connection_EOF connection_attempt connection_established ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection ## ## .. note:: ## ## This event has quite low-level semantics and can potentially be expensive to ## generate. It should only be used if one really needs the specific information ## passed into the handler via the ``pkt`` argument. If not, handling one of the ## other ``connection_*`` events is typically the better approach. event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## Generated for the first ACK packet seen for a TCP connection from ## its *orginator*. ## ## c: The connection. ## ## pkt: Information extracted from the SYN packet. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection ## ## .. note:: ## ## This event has quite low-level semantics and should be used only rarely. event connection_first_ACK%(c: connection%); ## Generated when a TCP connection timed out. This event is raised when no activity ## was seen for an interval of at least :bro:id:`tcp_connection_linger`, and ## either one endpoint has already closed the connection or one side never ## never became active. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update expected_connection_seen ## new_connection new_connection_contents partial_connection ## ## .. note:: ## ## The precise semantics of this event can be unintuitive as it only ## covers a subset of cases where a connection times out. Often, handling ## :bro:id:`connection_state_remove` is the better option. That one will be ## generated reliably when an interval of ``tcp_inactivity_timeout`` has passed ## with out any activity seen (but also for all other ways a connection may ## terminate). event connection_timeout%(c: connection%); ## Generated when a connection 4-tuple is reused. The event is raised when Bro ## sees a new TCP session or UDP flow using a 4-tuple matching that of an earlier ## connection it still consideres active. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_state_remove ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection event connection_reused%(c: connection%); ## Generated in regular intervals during the life time of a connection. The ## events is raised each ``connection_status_update_interval`` seconds ## and can be used to check conditions on a regular basis. ## ## c: The connection. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection event connection_status_update%(c: connection%); ## Generated at the end of reassembled TCP connections. The TCP reassembler ## raised the event once for each endpoint of a connection when it finished ## reassembling the corresponding side of the communication. ## ## c: The connection. ## ## is_orig: True if the event is raised for the originator side. ## ## .. bro:see:: connection_SYN_packet connection_attempt connection_established ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout expected_connection_seen ## new_connection new_connection_contents partial_connection event connection_EOF%(c: connection, is_orig: bool%); ## Generated for a new connection received from the communication subsystem. Remote ## peers can inject packets into Bro's packet loop, for example via :doc:`Broccoli ## `. The communication systems raises this event ## with the first packet of a connection coming in this way. event connection_external%(c: connection, tag: string%); ## Generated when a connected is seen that has previously marked as being expected. ## The function :bro:id:`expect_connection` tells Bro to expect a particular ## connection to come up, and which analyzer to associate with it. Once the ## first packet of such a connection is indeed seen, this event is raised. ## ## c: The connection. ## ## a: The analyzer that was scheduled for the connection with the ## :bro:id:`expect_connection` call. When the event is raised, that ## analyzer will already have been activated to process the connection. The ## ``count`` is one of the ``ANALYZER_*`` constants, e.g., ``ANALYZER_HTTP``. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout ## new_connection new_connection_contents partial_connection ## ## .. todo: We don't have a good way to document the automatically generated ## ``ANALYZER_*`` constants right now. event expected_connection_seen%(c: connection, a: count%); ## Generated for every packet Bro sees. This is a very low-level and expensive ## event that should be avoided when at all possible. Is's usually infeasible to ## handle when processing even medium volumes of traffic in real-time. That ## said, if you work from a trace and want to do some packet-level analysis, ## it may come in handy. ## ## c: The connection the packet is part of. ## ## p: Informattion from the header of the packet that triggered the event. ## ## .. bro:see:: tcp_packet packet_contents event new_packet%(c: connection, p: pkt_hdr%); ## Generated for every packet that has non-empty transport-layer payload. This is a ## very low-level and expensive event that should be avoided when at all possible. ## It's usually infeasible to handle when processing even medium volumes of ## traffic in real-time. It's even worse than :bro:id:`new_packet`. That said, if ## you work from a trace and want to do some packet-level analysis, it may come in ## handy. ## ## c: The connection the packet is part of. ## ## contants: The raw transport-layer payload. ## ## .. bro:see:: new_packet tcp_packet event packet_contents%(c: connection, contents: string%); ## Generated for every TCP packet. This is a very low-level and expensive event ## that should be avoided when at all possible. It's usually infeasible to handle ## when processing even medium volumes of traffic in real-time. It's slightly ## better than :bro:id:`new_packet` because it affects only TCP, but not much. That ## said, if you work from a trace and want to do some packet-level analysis, it may ## come in handy. ## ## c: The connection the packet is part of. ## ## is_orig: True if the packet was sent by the connection's originator. ## ## flags: A string with the packet's TCP flags. In the string, each character ## corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN; ## ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH. ## ## seq: The packet's TCP sequence number. ## ## ack: The packet's ACK number. ## ## len: The length of the TCP payload, as specified in the packet header. ## ## payload: The raw TCP payload. Note that this may less than *len* if the packet ## was not fully captured. ## ## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); ## Generated for each option found in a TCP header. Like many of the ``tcp_*`` ## events, this is a very low-level event and potentially expensive as it may ## be raised very often. ## ## c: The connection the packet is part of. ## ## is_orig: True if the packet was sent by the connection's originator. ## ## opt: The numerical option number, as found in the TCP header. ## ## optlen: The length of the options value. ## ## .. bro:see:: tcp_packet tcp_contents tcp_rexmit ## ## .. note:: There is currently no way to get the actual option value, if any. event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## Generated for each chunk of reassembled TCP payload. When content delivery is ## enabled for a TCP connection (via :bro:id:`tcp_content_delivery_ports_orig`, ## :bro:id:`tcp_content_delivery_ports_resp`, ## :bro:id:`tcp_content_deliver_all_orig`, ## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk ## of in-order payload reconstructed from the packet stream. Note that this event ## is potentially expensive if many connections carry signficant amounts of data as ## then all that needs to be passed on to the scripting layer. ## ## c: The connection the payload is part of. ## ## is_orig: True if the packet was sent by the connection's originator. ## ## seq: The sequence number corresponding to the first byte of the payload ## chunk. ## ## payload: The raw payload, which will be non-empty. ## ## .. bro:see:: tcp_packet tcp_option tcp_rexmit ## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp ## tcp_content_deliver_all_resp tcp_content_deliver_all_orig ## ## .. note:: ## ## The payload received by this event is the same that is also passed into ## application-layer protocol analyzers internally. Subsequent invocations of ## this event for the same connection receive non-overlapping in-order chunks ## of its TCP payload stream. It is however undefined what size each chunk ## has; while Bro passes the data on as soon as possible, specifics depend on ## network-level effects such as latency, acknowledgements, reordering, etc. event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); ## Generated event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%); ## Generated when Bro detects a TCP retransmission inconsistency. When ## reassemling TCP stream, Bro buffers all payload until it seens the responder ## acking it. If during time, the sender resends a chunk of payload but with ## content than originally, this event will be raised. ## ## c: The connection showing the inconsistency. ## ## t1: The original payload. ## ## t2: The new payload. ## ## .. bro:see:: tcp_rexmit tcp_contents event rexmit_inconsistency%(c: connection, t1: string, t2: string%); ## Generated when a TCP endpoint acknowledges payload that Bro did never see. ## ## c: The connection. ## ## .. bro:see:: content_gap ## ## .. note:: ## ## Seeing an acknowledgment indicates that the responder of the connection ## says it has received the corresponding data. If Bro did not, it must have ## either missed one or more packets, or the responder's TCP stack is broken ## (which isn't unheard of). In practice, one will always see a few of these ## events in any larger volume of network traffic. If there are lots of them, ## however, that typically means that there is a problem with the monitoring ## infrastructure such as a tap dropping packets, split routing on the path, or ## reordering at the tap. ## ## This event reports similar situations as :bro:id:`content_gap`, though their ## specifics differ slightly. Often, however, both will be raised for the same ## connection if some of its data is missing. We should eventually merge ## the two. event ack_above_hole%(c: connection%); ## Generated when Bro detects a gap in a reassembled TCP payload stream. This event ## is raised when Bro, while reassemling a payload stream, determines that a chunk ## of payload is missing (e.g., because the responder has already acknowledged it, ## even though Bro didn't see it). ## ## c: The connection. ## ## is_orig: True if the gap is on the originator's side. ## ## seq: The sequence number where the gap starts. ## ## length: The number of bytes missing. ## ## .. bro:see:: ack_above_hole ## ## .. note:: ## ## Content gaps tend to occur occasionally for various reasons, including broken ## TCP stacks. If, however, one finds lots of them, that typically means that ## there is a problem with the monitoring infrastructure such as a tap dropping ## packets, split routing on the path, or reordering at the tap. ## ## This event reports similar situations as :bro:id:`ack_above_hole`, though ## their specifics differ slightly. Often, however, both will be raised for ## connection if some of its data is missing. We should eventually merge the ## two. event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); ## Summarizes the amount of missing TCP payload at regular intervals. Internally, ## Bro tracks (1) the number of :bro:id:`ack_above_hole` events, including the ## numer of bytes missing; and (2) the total number of TCP acks seen, with the ## total volume of bytes that have been acked. This event reports these statistics ## in :bro:id:`gap_report_freq` intervals for the purpose of determining packet ## loss. ## ## dt: The time that has past since the last ``gap_report`` interval. ## ## info: The gap statistics. ## ## .. bro:see:: content_gap ack_above_hole ## ## .. note:: ## ## Bro comes with a script :doc:`/scripts/policy/misc/capture-loss` that uses ## this event to estimate packet loss and report when a predefined threshold is ## exceeded. event gap_report%(dt: interval, info: gap_info%); ## Generated when a protocol analyzer confirms that a connection is indeed ## using that protocol. Bro's dynamic protocol detection heuristically activates ## analyzers as soon as it believe a connection *could* be using a particular ## protocol. It is then left to the corresponding analyzer to verify whether that ## is indeed the case; if so, this event will be generated. ## ## c: The connection. ## ## atype: The type of the analyzer confirming that its protocol is in ## use. The value is one of the ``ANALYZER_*`` constants. For example, ## ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed ## parsing an HTTP connection. ## ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can ## be used to reference the analyzer when using builtin functions like ## :bro:id:`disable_analyzer`. ## ## .. bro:see:: protocol_violation ## ## .. note:: ## ## Bro's default scripts use this event to determine the ``service`` column of ## :bro:type:`Conn::Info`: once confirmed, the protocol will be listed there ## (and thus in ``conn.log``). event protocol_confirmation%(c: connection, atype: count, aid: count%); ## Generated when a protocol analyzer determines that a connection it is parsing ## is not conforming to the protocol it expects. Bro's dynamic protocol detection ## heuristically activates analyzers as soon as it believe a connection *could* be ## using a particular protocol. It is then left to the corresponding analyzer to ## verify whether that is indeed the case; if not, the analyzer will trigger this ## event. ## ## c: The connection. ## ## atype: The type of the analyzer confirming that its protocol is in ## use. The value is one of the ``ANALYZER_*`` constants. For example, ## ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed ## parsing an HTTP connection. ## ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can ## be used to reference the analyzer when using builtin functions like ## :bro:id:`disable_analyzer`. ## ## .. bro:see:: protocol_confirmation ## ## .. note:: ## ## Bro's default scripts use this event to disable an analyzer via ## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's however ## a script-level decision and not done automatically by the event eninge. event protocol_violation%(c: connection, atype: count, aid: count, reason: string%); ## Generated for each packet sent by a UDP flow's originator. This a potentially ## expsensive event due to the volume of UDP traffic and should be used with care. ## ## u: The connection record for the corresponding UDP flow. ## ## .. bro:see:: udp_contents udp_reply udp_session_done event udp_request%(u: connection%); ## Generated for each packet sent by a UDP flow's responder. This a potentially ## expsensive event due to the volume of UDP traffic and should be used with care. ## ## u: The connection record for the corresponding UDP flow. ## ## .. bro:see:: udp_contents udp_request udp_session_done event udp_reply%(u: connection%); ## Generated for UDP packets to pass on their payload. As the number of UDP ## packets can be very large, this event is normally raised only for those on ## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets sent ## by the flow's orgininator) or :bro:id:`udp_content_delivery_ports_resp` (for ## packets sent by the flow's responder). However, delivery can be enabled for all ## UDP request and reply packets by setting :bro:id:`udp_content_deliver_all_orig` ## or :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this event is ## also raised for all matching UDP packets, including empty ones. ## ## u: The connection record for the corresponding UDP flow. ## ## is_orig: True if the event is raised for the originator side. ## ## .. bro:see:: udp_reply udp_request udp_session_done ## udp_content_deliver_all_orig udp_content_deliver_all_resp ## udp_content_delivery_ports_orig udp_content_delivery_ports_resp event udp_contents%(u: connection, is_orig: bool, contents: string%); ## Generated when a UDP session for a supported protocol has finished. Some of ## Bro's application-layer UDP analyzers flag the end of a session by raising this ## event. Currently, the analyzers for DNS, NTP, Netbios, and Syslog support this. ## ## u: The connection record for the corresponding UDP flow. ## ## .. bro:see:: udp_contents udp_reply udp_request event udp_session_done%(u: connection%); ## Generated for all ICMP messages that are not handled separetely with dedicated ## ICMP events. Bro's ICMP analyzer handles a number of ICMP messages directly ## with dedicated events. This handlers acts as a fallback for those it doesn't. ## The *icmp* record provides more information about the message. ## ## See `Wikipedia ## `__ for more ## information about the ICMP protocol. ## ## c: The connection record for the corresponding ICMP flow. ## ## icmp: Additional ICMP-specific information augmenting the standard ## connection record *c*. ## ## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect ## icmp_time_exceeded icmp_unreachable event icmp_sent%(c: connection, icmp: icmp_conn%); ## Generated for ICMP *echo request* messages. ## ## See `Wikipedia ## `__ for more ## information about the ICMP protocol. ## ## c: The connection record for the corresponding ICMP flow. ## ## icmp: Additional ICMP-specific information augmenting the standard ## connection record *c*. ## ## id: The *echo request* identifier. ## ## seq: The *echo request* sequence number. ## ## payload: The message-specific data of the packet payload, i.e., everything after ## the first 8 bytes of the ICMP header. ## ## .. bro:see:: icmp_echo_reply icmp_redirect icmp_sent ## icmp_time_exceeded icmp_unreachable event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); ## Generated for ICMP *echo reply* messages. ## ## See `Wikipedia ## `__ for more ## information about the ICMP protocol. ## ## c: The connection record for the corresponding ICMP flow. ## ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## ## id: The *echo reply* identifier. ## ## seq: The *echo reply* sequence number. ## ## payload: The message-specific data of the packet payload, i.e., everything after ## the first 8 bytes of the ICMP header. ## ## .. bro:see:: icmp_echo_request icmp_redirect icmp_sent ## icmp_time_exceeded icmp_unreachable event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); ## Generated for ICMP *destination unreachable* messages. ## ## See `Wikipedia ## `__ for more ## information about the ICMP protocol. ## ## c: The connection record for the corresponding ICMP flow. ## ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## ## code: The ICMP code of the *unreachable* message. ## ## context: A record with specifics of the original packet that the message refers ## to. *Unreachable* messages should include the original IP header from the packet ## that triggered them, and Bro parses that into the *context* structure. Note ## that if the *unreachable* includes only a partial IP header for some reason, no ## fields of *context* will be filled out. ## ## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent ## icmp_time_exceeded event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); ## Generated for ICMP *time exceeded* messages. ## ## See `Wikipedia ## `__ for more ## information about the ICMP protocol. ## ## c: The connection record for the corresponding ICMP flow. ## ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## ## code: The ICMP code of the *exceeded* message. ## ## context: A record with specifics of the original packet that the message refers ## to. *Unreachable* messages should include the original IP header from the packet ## that triggered them, and Bro parses that into the *context* structure. Note that ## if the *exceeded* includes only a partial IP header for some reason, no fields ## of *context* will be filled out. ## ## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent ## icmp_unreachable event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); ## Generated for ICMP *redirect* messages. ## ## See `Wikipedia ## `__ for more ## information about the ICMP protocol. ## ## c: The connection record for the corresponding ICMP flow. ## ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## ## a: The new destination address the message is redirecting to. ## ## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_sent ## icmp_time_exceeded icmp_unreachable event icmp_redirect%(c: connection, icmp: icmp_conn, a: addr%); ## Generated when a TCP connection terminated, passing on statistics about the ## two endpoints. This event is always generated when Bro flushes the internal ## connection state, independent of how a connection terminates. ## ## c: The connection. ## ## os: Statistics for the originator endpoint. ## ## rs: Statistics for the responder endpoint. ## ## .. bro:see:: connection_state_remove event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## Generated for unexpected activity related to a specific connection. When ## Bro's packet analysis encounters activity that does not conform to a protocol's ## specification, it raises one of the ``*_weird`` events to report that. This ## event is raised if the activity is tied directly to a specific connection. ## ## name: A unique name for the specific type of "weird" situation. Bro's default ## scripts use this name in filtering policies that specify which "weirds" are ## worth reporting. ## ## c: The corresponding connection. ## ## addl: Optional additional context further describing the situation. ## ## .. bro:see:: flow_weird net_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol violation ## could be an attack attempt, it's much more likely that an endpoint's ## implementation interprets an RFC quite liberally. event conn_weird%(name: string, c: connection, addl: string%); ## Generated for unexpected activity related to a pair of hosts, but independent ## of a specific connection. When Bro's packet analysis encounters activity that ## does not conform to a protocol's specification, it raises one of the ``*_weird`` ## event to report that. This event is raised if the activity is related to a ## pair of hosts, yet not to a specific connection between them. ## ## name: A unique name for the specific type of "weird" situation. Bro's default ## scripts use this name in filtering policies that specify which "weirds" are ## worth reporting. ## ## src: The source address corresponding to the activity. ## ## dst: The destination address corresponding to the activity. ## ## .. bro:see:: conn_weird net_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol violation ## could be an attack attempt, it's much more likely that an endpoint's ## implementation interprets an RFC quite liberally. event flow_weird%(name: string, src: addr, dst: addr%); ## Generated for unexpected activity that is not tied to a specific connection ## or pair of hosts. When Bro's packet analysis encounters activity that ## does not conform to a protocol's specification, it raises one of the ## ``*_weird`` event to report that. This event is raised if the activity is ## not tied directly to a specific connection or pair of hosts. ## ## name: A unique name for the specific type of "weird" situation. Bro's default ## scripts use this name in filtering policies that specify which "weirds" are ## worth reporting. ## ## .. bro:see:: flow_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol violation ## could be an attack attempt, it's much more likely that an endpoint's ## implementation interprets an RFC quite liberally. event net_weird%(name: string%); ## Generated regularly for the purpose of profiling Bro's processing. This event ## is raised for every :bro:id:`load_sample_freq` packet. For these packets, ## Bro records script-level functions executed during their processing as well as ## further internal locations. By sampling the processing in this form, one can ## understand where Bro spends its time. ## ## samples: A set with functions and locations seens during the processing of ## the sampled packet. ## ## CPU: The CPU time spent on processing the sampled. ## ## dmem: The difference in memory usage caused by processing the sampled packet. event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%); ## Generated for ARP requests. ## ## See `Wikipedia `__ for ## more information about the ARP protocol. ## ## mac_src: The request's source MAC address. ## ## mac_dst: The request's destination MAC address. ## ## SPA: The sender protocol address. ## ## SHA: The sender hardware address. ## ## TPA: The target protocol address. ## ## THA: The target hardware address. ## ## .. bro:see:: arp_reply bad_arp event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string%); ## Generated for ARP replies. ## ## See `Wikipedia `__ for ## more information about the ARP protocol. ## ## mac_src: The replies's source MAC address. ## ## mac_dst: The replies's destination MAC address. ## ## SPA: The sender protocol address. ## ## SHA: The sender hardware address. ## ## TPA: The target protocol address. ## ## THA: The target hardware address. ## ## .. bro:see:: arp_request bad_arp event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string%); ## Generated for ARP packets that Bro cannot interpret. Examples are packets with ## non-standard hardware address formats or hardware addresses that not match the ## originator of the packet. ## ## SPA: The sender protocol address. ## ## SHA: The sender hardware address. ## ## TPA: The target protocol address. ## ## THA: The target hardware address. ## ## explanation: A short description of why the ARP packet is considered "bad". ## ## .. bro:see:: arp_reply arp_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown ## bittorrent_peer_weird event bittorrent_peer_handshake%(c: connection, is_orig: bool, reserved: string, info_hash: string, peer_id: string%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown ## bittorrent_peer_weird event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke ## bittorrent_peer_unknown bittorrent_peer_weird event bittorrent_peer_choke%(c: connection, is_orig: bool%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request ## bittorrent_peer_unknown bittorrent_peer_weird event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown ## bittorrent_peer_weird event bittorrent_peer_interested%(c: connection, is_orig: bool%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown ## bittorrent_peer_weird event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown ## bittorrent_peer_weird event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown ## bittorrent_peer_weird event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown ## bittorrent_peer_weird event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, begin: count, length: count%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown ## bittorrent_peer_weird event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, begin: count, piece_length: count%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke ## bittorrent_peer_unknown bittorrent_peer_weird event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, begin: count, length: count%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown ## bittorrent_peer_weird event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke ## bittorrent_peer_weird event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, data: string%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke ## bittorrent_peer_unknown event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke ## bittorrent_peer_unknown bittorrent_peer_weird event bt_tracker_request%(c: connection, uri: string, headers: bt_tracker_headers%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke ## bittorrent_peer_unknown bittorrent_peer_weird event bt_tracker_response%(c: connection, status: count, headers: bt_tracker_headers, peers: bittorrent_peer_set, benc: bittorrent_benc_dir%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke ## bittorrent_peer_unknown bittorrent_peer_weird event bt_tracker_response_not_ok%(c: connection, status: count, headers: bt_tracker_headers%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke ## bittorrent_peer_unknown bittorrent_peer_weird event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%); ## Generated for Finger requests. ## ## See `Wikipedia `__ for more ## information about the Finger protocol. ## ## c: The connection. ## ## full: True if verbose information is requested (``/W`` switch). ## ## username: The request's user name. ## ## hostname: The request's host name. ## ## .. bro:see:: finger_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event finger_request%(c: connection, full: bool, username: string, hostname: string%); ## Generated for Finger replies. ## ## See `Wikipedia `__ for more ## information about the Finger protocol. ## ## c: The connection. ## ## reply_line: The reply as returned by the server ## ## .. bro:see:: finger_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event finger_reply%(c: connection, reply_line: string%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## ## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify ## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found ## ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event gnutella_text_msg%(c: connection, orig: bool, headers: string%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## ## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, ttl: count, hops: count, msg_len: count, payload: string, payload_len: count, trunc: bool, complete: bool%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## ## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify ## gnutella_not_establish gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event gnutella_partial_binary_msg%(c: connection, orig: bool, msg: string, len: count%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## ## .. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event gnutella_establish%(c: connection%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## ## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event gnutella_not_establish%(c: connection%); ## TODO. ## ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## ## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event gnutella_http_notify%(c: connection%); ## Generated for Ident requests. ## ## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. ## ## lport: The request's local port. ## ## rport: The request's remote port. ## ## .. bro:see:: ident_error ident_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event ident_request%(c: connection, lport: port, rport: port%); ## Generated for Ident replies. ## ## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. ## ## lport: The corresponding request's local port. ## ## rport: The corresponding request's remote port. ## ## user_id: The user id returned by the reply. ## ## system: The operating system returned by the reply. ## ## .. bro:see:: ident_error ident_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%); ## Generated for Ident error replies. ## ## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. ## ## lport: The corresponding request's local port. ## ## rport: The corresponding request's remote port. ## ## line: The error description returned by the reply. ## ## .. bro:see:: ident_reply ident_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event ident_error%(c: connection, lport: port, rport: port, line: string%); ## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects ## Telnet/Rlogin sessions to heuristically extract username and password ## information as well as the text returned by the login server. This event is ## raised if a login attempt appears to have been unsuccessful. ## ## c: The connection. ## ## user: The user name tried. ## ## client_user: For Telnet connections, this is an empty string, but for Rlogin ## connections, it is the client name passed in the initial authentication ## information (to check against .rhosts). ## ## password: The password tried. ## ## line: line is the line of text that led the analyzer to conclude that the ## authentication had failed. ## ## .. bro:see:: login_confused login_confused_text login_display login_input_line ## login_output_line login_prompt login_success login_terminal direct_login_prompts ## get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs ## login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that ## need to configured with patterns identifying login attempts. This configuration ## has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is ## therefore not directly usable at the moment. ## ## .. todo: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects ## Telnet/Rlogin sessions to heuristically extract username and password ## information as well as the text returned by the login server. This event is ## raised if a login attempt appears to have been successful. ## ## c: The connection. ## ## user: The user name used. ## ## client_user: For Telnet connections, this is an empty string, but for Rlogin ## connections, it is the client name passed in the initial authentication ## information (to check against .rhosts). ## ## password: The password used. ## ## line: line is the line of text that led the analyzer to conclude that the ## authentication had succeeded. ## ## .. bro:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_prompt login_terminal ## direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs ## login_prompts login_success_msgs login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that ## need to configured with patterns identifying login attempts. This configuration ## has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is ## therefore not directly usable at the moment. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for lines of input on Telnet/Rlogin sessions. The line will have ## control characters (such as in-band Telnet options) removed. ## ## c: The connection. ## ## line: The input line. ## ## .. bro:see:: login_confused login_confused_text login_display login_failure ## login_output_line login_prompt login_success login_terminal rsh_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_input_line%(c: connection, line: string%); ## Generated for lines of output on Telnet/Rlogin sessions. The line will have ## control characters (such as in-band Telnet options) removed. ## ## c: The connection. ## ## line: The ouput line. ## ## .. bro:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_prompt login_success login_terminal rsh_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_output_line%(c: connection, line: string%); ## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's *login* ## analyzer uses a number of heuristics to extract authentication information, it ## may become confused. If it can no longer correctly track the authentication ## dialog, it raised this event. ## ## c: The connection. ## ## msg: Gives the particular problem the heuristics detected (for example, ## ``multiple_login_prompts`` means that the engine saw several login prompts in ## a row, without the type-ahead from the client side presumed necessary to cause ## them) ## ## line: The line of text that caused the heuristics to conclude they were ## confused. ## ## .. bro:see:: login_confused_text login_display login_failure login_input_line login_output_line ## login_prompt login_success login_terminal direct_login_prompts get_login_state ## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs ## login_timeouts set_login_state ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_confused%(c: connection, msg: string, line: string%); ## Generated after getting confused while tracking a Telnet/Rlogin authentication ## dialog. The *login* analyzer generates this even for every line of user input ## after it has reported :bro:id:`login_confused` for a connection. ## ## c: The connection. ## ## line: The line the user typed. ## ## .. bro:see:: login_confused login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal direct_login_prompts ## get_login_state login_failure_msgs login_non_failure_msgs login_prompts ## login_success_msgs login_timeouts set_login_state ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_confused_text%(c: connection, line: string%); ## Generated for clients transmitting a terminal type in an Telnet session. This ## information is extracted out of environment variables sent as Telnet options. ## ## c: The connection. ## ## terminal: The TERM value transmitted. ## ## .. bro:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_prompt login_success ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_terminal%(c: connection, terminal: string%); ## Generated for clients transmitting a X11 DISPLAY in a Telnet session. This ## information is extracted out of environment variables sent as Telnet options. ## ## c: The connection. ## ## terminal: The DISPLAY transmitted. ## ## .. bro:see:: login_confused login_confused_text login_failure login_input_line ## login_output_line login_prompt login_success login_terminal ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_display%(c: connection, display: string%); ## Generated when a Telnet authentication has been successful. The Telnet protocol ## includes options for negotiating authentication. When such an option is sent ## from client to server and the server replies that it accepts the authentication, ## then the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## ## name: The authenticated name. ## ## c: The connection. ## ## .. bro:see:: authentication_rejected authentication_skipped login_success ## ## .. note:: This event inspects the corresponding Telnet option while :bro:id:`login_success` ## heuristically determines success by watching session data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event authentication_accepted%(name: string, c: connection%); ## Generated when a Telnet authentication has been unsuccessful. The Telnet ## protocol includes options for negotiating authentication. When such an option ## is sent from client to server and the server replies that it did not accept the ## authentication, then the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## ## name: The attempted authentication name. ## ## c: The connection. ## ## .. bro:see:: authentication_accepted authentication_skipped login_failure ## ## .. note:: This event inspects the corresponding Telnet option while :bro:id:`login_success` ## heuristically determines failure by watching session ## data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event authentication_rejected%(name: string, c: connection%); ## Generated when for Telnet/Rlogin sessions when a pattern match indicates ## that no authentication is performed. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## ## c: The connection. ## ## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts ## get_login_state login_failure_msgs login_non_failure_msgs login_prompts ## login_success_msgs login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that ## need to be configured with patterns identifying actvity. This configuration has ## not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore ## not directly usable at the moment. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event authentication_skipped%(c: connection%); ## Generated for clients transmitting a terminal prompt in a Telnet session. This ## information is extracted out of environment variables sent as Telnet options. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## ## c: The connection. ## ## terminal: The TTYPROMPT transmitted. ## ## .. bro:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_success login_terminal ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_prompt%(c: connection, prompt: string%); ## Generated for Telnet sessions when encryption is activated. The Telnet protoco; ## includes options for negotiating encryption. When such a series of options is ## successfully negotiated, the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## ## c: The connection. ## ## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped ## login_confused login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal event activating_encryption%(c: connection%); ## Generated for inconsistent Telnet options observed. Telnet options are specified ## by the client and server stating which options they are willing to support ## vs. which they are not, and then instructing one another which in fact they ## should or should not use for the current connection. If the event engine sees ## a peer violate either what the other peer has instructed it to do, or what it ## itself offered in terms of options in the past, then the engine generates an ## inconsistent_option event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## ## c: The connection. ## ## .. bro:see:: bad_option bad_option_termination authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal event inconsistent_option%(c: connection%); ## Generated for an ill-formed or unrecognized Telnet option. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## ## c: The connection. ## ## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event bad_option%(c: connection%); ## Generated for a Telnet option that's incorrectly terminated. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## ## .. bro:see:: inconsistent_option bad_option authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event bad_option_termination%(c: connection%); ## Generated for client side commands on an RSH connection. ## ## See `RFC 1258 `__ for more information about ## the Rlogin/Rsh protocol. ## ## c: The connection. ## ## client_user: The client-side user name as sent in the initial protocol ## handshake. ## ## client_user: The server-side user name as sent in the initial protocol ## handshake. ## ## line: The command line sent in the request. ## ## new_session: True if this is the first command of the Rsh session. ## ## .. bro:see:: rsh_reply login_confused login_confused_text login_display ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## ## .. note: For historical reasons, these events are separate from the ``login_`` ## events. Ideally, they would all be handled uniquely. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%); ## Generated for client side commands on an RSH connection. ## ## See `RFC 1258 `__ for more information about ## the Rlogin/Rsh protocol. ## ## c: The connection. ## ## client_user: The client-side user name as sent in the initial protocol ## handshake. ## ## client_user: The server-side user name as sent in the initial protocol ## handshake. ## ## line: The command line sent in the request. ## ## new_session: True if this is the first command of the Rsh session. ## ## .. bro:see:: rsh_request login_confused login_confused_text login_display ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## ## .. note: For historical reasons, these events are separate from the ``login_`` ## events. Ideally, they would all be handled uniquely. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%); ## Generated for client-side FTP commands. ## ## See `Wikipedia `__ for more ## information about the FTP protocol. ## ## c: The connection. ## ## command: The FTP command issued by the client (without any arguments). ## ## arg: The arguments going with the command. ## ## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; ## Generated for server-side FTP replies. ## ## See `Wikipedia `__ for more ## information about the FTP protocol. ## ## c: The connection. ## ## code: The numerical response code the server responded with. ## ## msg: The textual message of the response. ## ## cont_resp: True if the reply line is tagged as being continued to the next line. ## If so, further events will be raised and a handler may want to reassemle the ## pieces before processing the response any further. ## ## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &group="ftp"; ## Generated for client-side SMTP commands. ## ## See `Wikipedia `__ ## for more information about the SMTP protocol. ## ## c: The connection. ## ## is_orig: True if the sender of the command is the originator of the TCP ## connection. Note that this is not redundant: the SMTP ``TURN`` command allows ## client and server to flip roles on established SMTP sessions, and hence a ## "request" might still come from the TCP-level responder. In practice, however, ## that will rarely happen as TURN is considered insecure and rarely used. ## ## command: The request's command, without any arguments. ## ## arg: The request command's arguments. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_data smtp_reply ## ## .. note:: Bro does not support the newer ETRN extension yet. event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) &group="smtp"; ## Generated for server-side SMTP commands. ## ## See `Wikipedia `__ ## for more information about the SMTP protocol. ## ## c: The connection. ## ## is_orig: True if the sender of the command is the originator of the TCP ## connection. Note that this is not redundant: the SMTP ``TURN`` command ## allows client and server to flip roles on established SMTP sessions, ## and hence a "reply" might still come from the TCP-level originator. In ## practice, however, that will rarely happen as TURN is considered insecure ## and rarely used. ## ## code: The reply's numerical code. ## ## msg: The reply's textual description. ## ## cont_resp: True if the reply line is tagged as being continued to the next line. ## If so, further events will be raised and a handler may want to reassemle the ## pieces before processing the response any further. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_data smtp_request ## ## .. note:: Bro doesn't support the newer ETRN extension yet. event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%) &group="smtp"; ## Generated for DATA transmitted on SMTP sessions. This event is raised for ## subsequent chunks of raw data following the ``DATA`` SMTP command until the ## corresponding end marker ``.`` is seen. A handler may want to reassembly ## the pieces as they come in if stream-analysis is required. ## ## See `Wikipedia `__ ## for more information about the SMTP protocol. ## ## c: The connection. ## ## is_orig: True if the sender of the data is the originator of the TCP ## connection. ## ## data: The raw data. Note that the size of each chunk is undefined and ## depends on specifics of the underlying TCP connection. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_reply smtp_request skip_smtp_data ## ## .. note:: This event received the unprocessed raw data. There is a separate ## set ``mime_*`` events that strip out the outer MIME-layer of emails and provide ## structured access to their content. event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; ## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks the ## state of SMTP sessions and reports commands and other activity with this event ## that it sees even though it would not expect so at the current point of the ## communication. ## ## See `Wikipedia `__ ## for more information about the SMTP protocol. ## ## c: The connection. ## ## is_orig: True if the sender of the unexpected activity is the originator of the ## TCP connection. ## ## msg: A descriptive message of what was unexpected. ## ## detail: The actual SMTP line triggering the event. ## ## .. bro:see:: smtp_data smtp_request smtp_reply event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp"; ## Generated when starting to parse a email MIME entity. MIME is a ## protocol-independent data format for encoding text and files, along with ## corresponding meta-data, for transmission. Bro raises this event when it begin ## parsing a MIME entity extracted from an email protocol. ## ## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia ## `__ for more information about the ARP ## protocol. ## ## c: The connection. ## ## .. bro:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_begin_entity ## ## .. note:: Bro also extracts MIME entities from HTTP session. For those, however, ## it raises :bro:id:`http_begin_entity` instead. event mime_begin_entity%(c: connection%); ## Generated when finishing parsing an email MIME entity. MIME is a ## protocol-independent data format for encoding text and files, along with ## corresponding meta-data, for transmission. Bro raises this event when it ## finished parsing a MIME entity extracted from an email protocol. ## ## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia ## `__ for more information about the ARP ## protocol. ## ## c: The connection. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_end_entity ## ## .. note:: Bro also extracts MIME entities from HTTP session. For those, however, ## it raises :bro:id:`http_end_entity` instead. event mime_end_entity%(c: connection%); ## Generated for individual MIME headers extracted from email MIME ## entities. MIME is a protocol-independent data format for encoding text and ## files, along with corresponding meta-data, for transmission. ## ## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia ## `__ for more information about the ARP ## protocol. ## ## c: The connection. ## ## h: The parsed MIME header. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_segment_data ## http_header http_all_headers ## ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, ## it raises :bro:id:`http_header` instead. event mime_one_header%(c: connection, h: mime_header_rec%); ## Generated for MIME headers extracted from email MIME entities, passing all ## headers at once. MIME is a protocol-independent data format for encoding text ## and files, along with corresponding meta-data, for transmission. ## ## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia ## `__ for more information about the ARP ## protocol. ## ## c: The connection. ## ## hlist: A *table* containing all headers extracted from the current entity. ## The table is indexed by the position of the header (1 for the first, 2 for the ## second, etc.). ## ## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## http_header http_all_headers ## ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, ## it raises :bro:id:`http_header` instead. event mime_all_headers%(c: connection, hlist: mime_header_list%); ## Generated for chunks of decoded MIME data from email MIME entities. MIME ## is a protocol-independent data format for encoding text and files, along with ## corresponding meta-data, for transmission. As Bro parses the data of an entity, ## it raises a sequence of these events, each coming as soon as a new chunk of ## data is available. In contrast, there is also :bro:id:`mime_entity_data`, which ## passes all of an entities data at once in a single block. While the latter is ## more convinient to handle, ``mime_segment_data`` is more efficient as Bro does ## not need to buffer the data. Thus, if possible, this event should be prefered. ## ## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia ## `__ for more information about the ARP ## protocol. ## ## c: The connection. ## ## length: The length of *data*. ## ## data: The raw data of one segment of the current entity. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data ## mime_segment_length mime_segment_overlap_length ## ## .. note:: Bro also extracts MIME data from HTTP sessions. For those, however, it ## raises :bro:id:`http_entity_data` (sic!) instead. event mime_segment_data%(c: connection, length: count, data: string%); ## Generated for data decoded from an email MIME entity. This event delivers ## the complete content of a single MIME entity. In contrast, there is also ## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as ## they. come in. While ``mime_entity_data`` is more convinient to handle, ## ``mime_segment_data`` is more efficient as Bro does not need to buffer the data. ## Thus, if possible, the latter should be prefered. ## ## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia ## `__ for more information about the ARP ## protocol. ## ## c: The connection. ## ## length: The length of *data*. ## ## data: The raw data of the complete entity. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_event mime_one_header mime_segment_data ## ## .. note:: While Bro also decodes MIME entities extracted from HTTP ## sessions, there's no corresponding event for that currently. event mime_entity_data%(c: connection, length: count, data: string%); ## Generated for passing on all data decoded from an single email MIME ## message. If an email message has more than one MIME entity, this event ## combines all their data into a single value for analysis. Note that because ## of the potentially significant buffering necessary, using this event can be ## expensive. ## ## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia ## `__ for more information about the ARP ## protocol. ## ## c: The connection. ## ## length: The length of *data*. ## ## data: The raw data of all MIME entities concatenated. ## ## .. bro:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## ## .. note:: While Bro also decodes MIME entities extracted from HTTP ## sessions, there's no corresponding event for that currently. event mime_all_data%(c: connection, length: count, data: string%); ## Generated for errors found when decoding email MIME entities. ## ## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia ## `__ for more information about the ARP ## protocol. ## ## event_type: A string describing the general category of the problem found (e.g., ## ``illegal format``). ## ## detail: Further more detailed description of the error. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event ## ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, ## it raises :bro:id:`http_event` instead. event mime_event%(c: connection, event_type: string, detail: string%); ## Generated for decoded MIME entities extracted from email meessage, passing on ## their MD5 checksums. Bro computes the MD5 over the complete decoded data of ## each MIME entity. ## ## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia ## `__ for more information about the ARP ## protocol. ## ## c: The connection. ## ## content_len: The length of entity being hashed. ## ## hash_value: The MD5 hash. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## ## .. note:: While Bro also decodes MIME entities extracted from HTTP ## sessions, there's no corresponding event for that currently. event mime_content_hash%(c: connection, content_len: count, hash_value: string%); ## Generated for RPC request/reply *pairs*. The RPC analyzer associates request ## and reply by their transactions identifiers and raise this event once both ## have been seen. If there's not reply, the will still be generated eventually ## on timeout. In that case, *status* will be set to :bro:enum:`RPC_TIMEOUT`. ## ## See `Wikipedia `__ for more information ## about the ONC RPC protocol. ## c: The connection. ## ## xid: The transaction identifier allowing to match requests with replies. ## ## prog: The remote program to call. ## ## ver: The version of the remote program to call. ## ## proc: The procedure of the remote program to call. ## ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## ## start_time: Then time when the *call* was seen. ## ## call_len: The size of the *call_body* PDU. ## ## reply_len: The size of the *reply_body* PDU. ## ## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); ## Generated for RPC *call* messages. ## ## See `Wikipedia `__ for more information ## about the ONC RPC protocol. ## ## c: The connection. ## ## xid: The transaction identifier allowing to match requests with replies. ## ## prog: The remote program to call. ## ## ver: The version of the remote program to call. ## ## proc: The procedure of the remote program to call. ## ## call_len: The size of the *call_body* PDU. ## ## .. bro:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); ## Generated for RPC *reply* messages. ## ## See `Wikipedia `__ for more information ## about the ONC RPC protocol. ## ## c: The connection. ## ## xid: The transaction identifier allowing to match requests with replies. ## ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## ## reply_len: The size of the *reply_body* PDU. ## ## .. bro:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); ## Generated for Portmapper requests of type *null*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the service. ## ## r: The RPC connection. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit ## pm_request_dump pm_request_getport pm_request_set pm_request_unset rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_request_null%(r: connection%); ## Generated for Portmapper request/reply dialogues of type *set*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the service. ## ## r: The RPC connection. ## ## m: The argument to the request. ## ## success: True if the request was successful, according to the corresponding ## reply. If no reply was seen, this will be false once the request times out. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit ## pm_request_dump pm_request_getport pm_request_null pm_request_unset rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *unset*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the service. ## ## r: The RPC connection. ## ## m: The argument to the request. ## ## success: True if the request was successful, according to the corresponding ## reply. If no reply was seen, this will be false once the request times out. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit ## pm_request_dump pm_request_getport pm_request_null pm_request_set rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *getport*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the service. ## ## r: The RPC connection. ## ## pr: The argument to the request. ## ## p: The port returned by the server. ## ## success: True if the request was successful, according to the corresponding ## reply. If no reply was seen, this will be false once the request times out. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit ## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## Generated for Portmapper request/reply dialogues of type *dump*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the service. ## ## r: The RPC connection. ## ## m: The mappings returned by the server. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit ## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_request_dump%(r: connection, m: pm_mappings%); ## Generated for Portmapper request/reply dialogues of type *callit*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the ## service. ## ## r: The RPC connection. ## ## m: The argument to the request. ## ## p: The port value returned by the call. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_dump ## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); ## Generated for failed Portmapper requests of type *null*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the ## service. ## ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump ## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_attempt_null%(r: connection, status: rpc_status%); ## Generated for failed Portmapper requests of type *set*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the ## service. ## ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## ## m: The argument to the original request. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump ## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); ## Generated for failed Portmapper requests of type *unset*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the ## service. ## ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## ## m: The argument to the original request. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_bad_port pm_request_callit pm_request_dump ## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); ## Generated for failed Portmapper requests of type *getport*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the ## service. ## ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## ## pr: The argument to the original request. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_null ## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump ## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%); ## Generated for failed Portmapper requests of type *dump*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the ## service. ## ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_getport pm_attempt_null ## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump ## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_attempt_dump%(r: connection, status: rpc_status%); ## Generated for failed Portmapper requests of type *callit*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the ## service. ## ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## ## call: The argument to the original request. ## ## .. bro:see:: epm_map_response pm_attempt_dump pm_attempt_getport pm_attempt_null ## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump ## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); ## Generated for Portmapper requests or replies that include an invalid port ## number. Since ports are represented by unsigned 4-byte integers, they can stray ## outside the allowed range of 0--65535 by being >= 65536. If so, this event is ## generated. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the ## service. ## ## r: The RPC connection. ## ## bad_p: The invalid port value. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_request_callit ## pm_request_dump pm_request_getport pm_request_null pm_request_set ## pm_request_unset rpc_call rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pm_bad_port%(r: connection, bad_p: count%); ## Generated for NFSv3 request/reply dialogues of type *null*. The event is ## generated once we have either seen both the request and its corresponding reply, ## or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_read nfs_proc_readdir nfs_proc_readlink ## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is ## generated once we have either seen both the request and its corresponding reply, ## or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## attr: The attributes returned in the reply. The values may not be valid if the ## request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply NFS3::mode2string ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); ## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is ## generated once we have either seen both the request and its corresponding reply, ## or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## req: The arguments passed in the request. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *read*. The event is ## generated once we have either seen both the request and its corresponding reply, ## or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## req: The arguments passed in the request. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir ## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply ## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is ## generated once we have either seen both the request and its corresponding reply, ## or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## fh: The file handle passed in the request. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *write*. The event is ## generated once we have either seen both the request and its corresponding reply, ## or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## fh: The file handle passed in the request. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_reply_status rpc_call ## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only ## NFS3::return_data_max ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *create*. The event is ## generated once we have either seen both the request and its corresponding reply, ## or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## fh: The file handle passed in the request. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## ## .. bro:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is ## generated once we have either seen both the request and its corresponding reply, ## or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## fh: The file handle passed in the request. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *remove*. The event is ## generated once we have either seen both the request and its corresponding reply, ## or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## fh: The file handle passed in the request. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is ## generated once we have either seen both the request and its corresponding reply, ## or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## fh: The file handle passed in the request. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is ## generated once we have either seen both the request and its corresponding reply, ## or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## fh: The file handle passed in the request. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink ## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); ## Generated for NFS3 request/reply dialogues of a type that Bro's NFS3 analyzer ## does not implement. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more ## information about the service. ## ## c: The RPC connection. ## ## info: Reports the status of the dialogue, along with some meta information. ## ## proc: The procedure called that Bro does not implement. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove ## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); ## Generated for each NFS3 reply message received, reporting just the ## status included. ## ## info: Reports the status included in the reply. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call ## rpc_dialogue rpc_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## Generated for all NTP messages. Different from many other of Bro's events, this ## one is generated for both client-side and server-side messages. ## ## See `Wikipedia `__ for more ## information about the NTP protocol. ## ## u: The connection record describing the corresponding UDP flow. ## ## msg: The parsed NTP message. ## ## excess: The raw bytes of any optional parts of the NTP packet. Bro does not ## further parse any optional fields. ## ## .. bro:see:: ntp_session_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer processes ## the NetBIOS session service running on TCP port 139, and (despite its name!) the ## NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## ## c: The connection, which may be a TCP or UDP, depending on the type of the ## NetBIOS session. ## ## is_orig: True if the message was sent by the originator of the connection. ## ## msg_type: The general type of message, as defined in Section 4.3.1 of `RFC 1002 ## `__. ## ## data_len: The length of the message's payload. ## ## .. bro:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for ## `SMB/CIFS `__. Bro's SMB ## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); ## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS analyzer ## processes the NetBIOS session service running on TCP port 139, and (despite its ## name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## ## c: The connection, which may be a TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## ## .. bro:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_rejected ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for ## `SMB/CIFS `__. Bro's SMB ## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_request%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *positive session response*. Bro's ## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, ## and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## ## c: The connection, which may be a TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## ## .. bro:see:: netbios_session_keepalive netbios_session_message ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for ## `SMB/CIFS `__. Bro's SMB ## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_accepted%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *negative session response*. Bro's ## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, ## and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## ## c: The connection, which may be a TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## ## .. bro:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for ## `SMB/CIFS `__. Bro's SMB ## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_rejected%(c: connection, msg: string%); ## Generated for NetBIOS message of type *session message* that are not carrying ## SMB payload. ## ## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, ## and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## ## c: The connection, which may be a TCP or UDP, depending on the type of the ## NetBIOS session. ## ## is_orig: True if the message was sent by the originator of the connection. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header (i.e., the ``user_data``). ## ## .. bro:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for ## `SMB/CIFS `__. Bro's SMB ## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: This is an oddly named event. In fact, it's probably an odd event to ## have to begin with. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS ## analyzer processes the NetBIOS session service running on TCP port 139, and ## (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## ## c: The connection, which may be a TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS header. ## ## .. bro:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_rejected ## netbios_session_request decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for ## `SMB/CIFS `__. Bro's SMB ## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo: This is an oddly named event. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer ## processes the NetBIOS session service running on TCP port 139, and (despite its ## name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## ## c: The connection, which may be a TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS header. ## ## .. bro:see:: netbios_session_accepted netbios_session_message ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for ## `SMB/CIFS `__. Bro's SMB ## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_keepalive%(c: connection, msg: string%); ## Generated for all SMB/CIFS messages. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## is_orig: True if the message was sent by the originator of the underlying ## transport-level connection. ## ## cmd: A string mmenonic of the SMB command code. ## ## body_length: The length of the SMB message body, i.e. the data starting after ## the SMB header. ## ## body: The raw SMB message body, i.e., the data starting after the SMB header. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot ## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 ## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error ## smb_get_dfs_referral ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%); ## Generated for SMB/CIFS messages of type *tree connect andx*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## path: The ``path`` attribute specified in the message. ## ## service: The ``service`` attribute specified in the message. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot ## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 ## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%); ## Generated for SMB/CIFS messages of type *tree disconnect*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## path: The ``path`` attribute specified in the message. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot ## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 ## smb_com_tree_connect_andx smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *nt create andx*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## name: The ``name`` attribute specified in the message. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_read_andx ## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap ## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx ## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); ## Generated for SMB/CIFS messages of type *nt transaction*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## trans: The parsed transaction header. ## ## data: The raw transaction data. ## ## is_orig: True if the message was sent by the originator of the connection. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe ## smb_com_trans_rap smb_com_transaction2 smb_com_tree_connect_andx ## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *nt transaction 2*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## trans: The parsed transaction header. ## ## data: The raw transaction data. ## ## is_orig: True if the message was sent by the originator of the connection. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe ## smb_com_trans_rap smb_com_transaction smb_com_tree_connect_andx ## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction mailslot*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## trans: The parsed transaction header. ## ## data: The raw transaction data. ## ## is_orig: True if the message was sent by the originator of the connection. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_pipe smb_com_trans_rap ## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx ## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction rap*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## trans: The parsed transaction header. ## ## data: The raw transaction data. ## ## is_orig: True if the message was sent by the originator of the connection. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot ## smb_com_trans_pipe smb_com_transaction smb_com_transaction2 ## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error ## smb_get_dfs_referral smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction pipe*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## trans: The parsed transaction header. ## ## data: The raw transaction data. ## ## is_orig: True if the message was sent by the originator of the connection. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_rap ## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx ## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *read andx*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## data: Always empty. ## ## is_orig: True if the message was sent by the originator of the connection. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap ## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx ## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *read andx*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## data: Always empty. ## ## is_orig: True if the message was sent by the originator of the connection. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot ## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 ## smb_com_tree_connect_andx smb_com_tree_disconnect smb_error ## smb_get_dfs_referral smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *get dfs referral*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## max_referral_level: The ``max_referral_level`` attribute specified in the ## message. ## ## file_name: The ``filene_name`` attribute specified in the message. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot ## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 ## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%); ## Generated for SMB/CIFS messages of type *negotiate*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx ## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction ## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect ## smb_com_write_andx smb_error smb_get_dfs_referral smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_negotiate%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *negotiate response*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## dialect_index: The ``dialect`` indicated in the message. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx ## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction ## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect ## smb_com_write_andx smb_error smb_get_dfs_referral smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%); ## Generated for SMB/CIFS messages of type *setup andx*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap ## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx ## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *generic andx*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## .. bro:see:: smb_com_close smb_com_logoff_andx smb_com_negotiate ## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx ## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap ## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx ## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *close*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## .. bro:see:: smb_com_generic_andx smb_com_logoff_andx smb_com_negotiate ## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx ## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap ## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx ## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_close%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *logoff andx*. ## ## See `Wikipedia `__ for more ## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both ## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_negotiate ## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx ## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap ## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx ## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral ## smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages that indicate an error. This event is triggered ## by an SMB header including a status that signals an error. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## ## cmd: The SMB command code. ## ## cmd_str: A string mmenonic of the SMB command code. ## ## body: The raw SMB message body, i.e., the data starting after the SMB header. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot ## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 ## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx ## smb_get_dfs_referral smb_message ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%); ## Generated for all DNS messages. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## is_orig: True if the message was sent by the originator of the connection. ## ## msg: The parsed DNS message header. ## ## len: The length of the message's raw representation (i.e, the DNS payload). ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected ## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &group="dns"; ## Generated for DNS requests. For requests with multiple queries, this event ## is raised once for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## query: The queried name. ## ## qtype: The queried resource record type. ## ## qclass: The queried resource record class. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; ## Generated for DNS replies that reject a query. This event is raised if a DNS ## reply either indicates failure via its status code or does not pass on any ## answers to a query. Note that all of the event's paramaters are parsed out of ## the reply; there's no stateful correlation with the query. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## query: The queried name. ## ## qtype: The queried resource record type. ## ## qclass: The queried resource record class. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; ## Generated for DNS replies with an *ok* status code but no question section. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## query: The queried name. ## ## qtype: The queried resource record type. ## ## qclass: The queried resource record class. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_rejected ## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_query_reply%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; ## Generated when the DNS analyzer processes what seems to be a non-DNS packets. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The raw DNS payload. ## ## .. note:: This event is deprecated and superseded by Bro's dynamic protocol ## detection framework. event non_dns_request%(c: connection, msg: string%) &group="dns"; ## Generated for DNS replies of type *A*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The type-independent part of the parsed answer record. ## ## a: The address returned by the reply. ## ## .. bro:see:: dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply ## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth ## ## .. note: This event is currently also raised for ``AAAA`` records. In that ## case, the address *a* will correspond to the lower-order 4 bytes of the ## IPv6 address. This will go away once IPv6 support is improved. ## ## .. todo: IPv6 handling is obviously very broken here ... event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns"; ## Generated for DNS replies of type *AAAA*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The type-independent part of the parsed answer record. ## ## a: The address returned by the reply. ## ## .. bro:see:: dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth ## ## .. todo: Raising this event is not implemented currently, not even when ## Bro's compiled IPv6 support. ``AAAA`` are currently always turned into ## :bro:id:`dns_A_reply` events. event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr, astr: string%) &group="dns"; ## Generated for DNS replies of type *NS*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The type-independent part of the parsed answer record. ## ## name: The name returned by the reply. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; ## Generated for DNS replies of type *CNAME*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The type-independent part of the parsed answer record. ## ## name: The name returned by the reply. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; ## Generated for DNS replies of type *PTR*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The type-independent part of the parsed answer record. ## ## name: The name returned by the reply. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; ## Generated for DNS replies of type *CNAME*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The type-independent part of the parsed answer record. ## ## soa: The parsed SOA value ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns"; ## Generated for DNS replies of type *WKS*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The type-independent part of the parsed answer record. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; ## Generated for DNS replies of type *HINFO*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The type-independent part of the parsed answer record. ## ## name: The name returned by the reply. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; ## Generated for DNS replies of type *MX*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The type-independent part of the parsed answer record. ## ## name: The name returned by the reply. ## ## preference: The preference for *name* specificed by the reply. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns"; ## Generated for DNS replies of type *TXT*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The type-independent part of the parsed answer record. ## ## str: The textual information returned by the reply. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns"; ## Generated for DNS replies of type *SRV*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The type-independent part of the parsed answer record. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; ## Generated for DNS replies of type *EDNS*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The parsed EDNS reply. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns"; ## Generated for DNS replies of type *TSIG*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## ans: The parsed TSIG reply. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &group="dns"; ## Generated at the end of processing a DNS packet. This event is the last ## ``dns_*`` event that will be raised for a DNS query/reply and signals that ## all resource records have been passed on. ## ## See `Wikipedia `__ for more ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. ## ## msg: The parsed DNS message header. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_end%(c: connection, msg: dns_msg%) &group="dns"; ## Generated for DHCP messages of type *discover*. ## ## See `Wikipedia ## `__ for more ## information about the DHCP protocol. ## ## c: The connection record describing the underlying UDP flow.. ## ## msg: The parsed type-indepedent part of the DHCP message. ## ## req_addr: The specific address requested by the client. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth ## ## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). ## It treats broadcast addresses just like any other and associates packets into ## transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## Generated for DHCP messages of type *offer*. ## ## See `Wikipedia ## `__ for more ## information about the DHCP protocol. ## ## c: The connection record describing the underlying UDP flow.. ## ## mask: The subnet mask specified by the mesage. ## ## router: The list of routers specified by the message. ## ## lease: The least interval specificed by the message. ## ## serv_addr: The server address specified by the message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## ## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). ## It treats broadcast addresses just like any other and associates packets into ## transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); ## Generated for DHCP messages of type *request*. ## ## See `Wikipedia ## `__ for more ## information about the DHCP protocol. ## ## c: The connection record describing the underlying UDP flow.. ## ## msg: The parsed type-indepedent part of the DHCP message. ## ## req_addr: The client address specified by the message. ## ## serv_addr: The server address specified by the message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## ## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). ## It treats broadcast addresses just like any other and associates packets into ## transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%); ## Generated for DHCP messages of type *decline*. ## ## See `Wikipedia ## `__ for more ## information about the DHCP protocol. ## ## c: The connection record describing the underlying UDP flow.. ## ## msg: The parsed type-indepedent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## ## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). ## It treats broadcast addresses just like any other and associates packets into ## transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dhcp_decline%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *acknowledgment*. ## ## See `Wikipedia ## `__ for more ## information about the DHCP protocol. ## ## c: The connection record describing the underlying UDP flow.. ## ## msg: The parsed type-indepedent part of the DHCP message. ## ## mask: The subnet mask specified by the mesage. ## ## router: The list of routers specified by the message. ## ## lease: The least interval specificed by the message. ## ## serv_addr: The server address specified by the message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## ## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). ## It treats broadcast addresses just like any other and associates packets into ## transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); ## Generated for DHCP messages of type *negative acknowledgment*. ## ## See `Wikipedia ## `__ for more ## information about the DHCP protocol. ## ## c: The connection record describing the underlying UDP flow.. ## ## msg: The parsed type-indepedent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## ## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). ## It treats broadcast addresses just like any other and associates packets into ## transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dhcp_nak%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *release*. ## ## See `Wikipedia ## `__ for more ## information about the DHCP protocol. ## ## c: The connection record describing the underlying UDP flow.. ## ## msg: The parsed type-indepedent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## ## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). ## It treats broadcast addresses just like any other and associates packets into ## transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dhcp_release%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *inform*. ## ## See `Wikipedia ## `__ for more ## information about the DHCP protocol. ## ## c: The connection record describing the underlying UDP flow.. ## ## msg: The parsed type-indepedent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## ## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). ## It treats broadcast addresses just like any other and associates packets into ## transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dhcp_inform%(c: connection, msg: dhcp_msg%); ## Generated for HTTP requests. Bro supports persistent and pipelined HTTP sessions ## and raises corresponding events as it parses client/server dialogues. This event ## is generated as soon as a request's initial line has been parsed, and before any ## :bro:id:`http_header` events are raised. ## ## See `Wikipedia `__ for ## more information about the HTTP protocol. ## ## c: The connection. ## ## method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``). ## ## original_URI: The unprocessed URI as specified in the request. ## ## unescaped_URI: The URI with all percent-encodings decoded. ## ## version: The version number specified in the request (e.g., ``1.1``). ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_reply http_stats ## truncate_http_URI event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request"; ## Generated for HTTP replies. Bro supports persistent and pipelined HTTP sessions ## and raises corresponding events as it parses client/server dialogues. This event ## is generated as soon as a reply's initial line has been parsed, and before any ## :bro:id:`http_header` events are raised. ## ## See `Wikipedia `__ for ## more information about the HTTP protocol. ## ## c: The connection. ## ## version: The version number specified in the reply (e.g., ``1.1``). ## ## code: The numerical response code returned by the server. ## ## reason: The textual description returned by the server along with *code*. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_request ## http_stats event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply"; ## Generated for HTTP headers. Bro supports persistent and pipelined HTTP sessions ## and raises corresponding events as it parses client/server dialogues. ## ## See `Wikipedia `__ for ## more information about the HTTP protocol. ## ## c: The connection. ## ## is_orig: True if the header was sent by the originator of the TCP connection. ## ## name: The name of the header. ## ## value: The value of the header. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_message_done http_reply http_request ## http_stats ## ## .. note:: This event is also raised for headers found in nested body entities. event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header"; ## Generated for HTTP headers, passing on all headers of an HTTP message at once. ## Bro supports persistent and pipelined HTTP sessions and raises corresponding ## events as it parses client/server dialogues. ## ## See `Wikipedia `__ for ## more information about the HTTP protocol. ## ## c: The connection. ## ## is_orig: True if the header was sent by the originator of the TCP connection. ## ## hlist: A *table* containing all headers extracted from the current entity. ## The table is indexed by the position of the header (1 for the first, 2 for the ## second, etc.). ## ## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## ## .. note:: This event is also raised for headers found in nested body entities. event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header"; ## Generated when starting to parse an HTTP body entity. This event is generated ## at least once for each non-empty (client or server) HTTP body; and potentially ## more than once if the body contains further nested MIME entities. Bro raises ## this event just before it starts parsing each entity's content. ## ## See `Wikipedia `__ for ## more information about the HTTP protocol. ## ## c: The connection. ## ## is_orig: True if the entity was was sent by the originator of the TCP ## connection. ## ## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## mime_begin_entity event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; ## Generated when finishing parsing an HTTP body entity. This event is generated ## at least once for each non-empty (client or server) HTTP body; and potentially ## more than once if the body contains further nested MIME entities. Bro raises ## this event at the point when it has finished parsing an entity's content. ## ## See `Wikipedia `__ for ## more information about the HTTP protocol. ## ## c: The connection. ## ## is_orig: True if the entity was was sent by the originator of the TCP ## connection. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data ## http_event http_header http_message_done http_reply http_request ## http_stats mime_end_entity event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; ## Generated when parsing an HTTP body entity, passing on the data. This event ## can potentially be raised many times for each entity, each time passing a ## chunk of the data of not further defined size. ## ## A common idiom for using this event is to first *reassemble* the data ## at the scripting layer by concatening it to a successvily growing ## string; and only perform further content analysis once the corresponding ## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so ## can be quite expensive for HTTP tranders. At the very least, one should ## impose an upper size limit on how much data is being buffered. ## ## See `Wikipedia `__ for ## more information about the HTTP protocol. ## ## c: The connection. ## ## is_orig: True if the entity was was sent by the originator of the TCP ## connection. ## ## length: The length of *data*. ## ## data: One chunk of raw entity data. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_event http_header http_message_done http_reply http_request http_stats ## mime_entity_data http_entity_data_delivery_size skip_http_data event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body"; ## Generated for reporting an HTTP bodie's content type. This event is ## generated at the end of parsing an HTTP header, passing on the MIME ## type as specified by the ``Content-Type`` header. If that header is ## missing, this event is still raised with a default value of ``text/plain``. ## ## See `Wikipedia `__ for ## more information about the HTTP protocol. ## ## c: The connection. ## ## is_orig: True if the entity was was sent by the originator of the TCP ## connection. ## ## ty: The main type. ## ## subty: The subtype. ## ## .. bro:see:: http_all_headers http_begin_entity http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## ## .. note:: This event is also raised for headers found in nested body ## entities. event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body"; ## Generated once at the end of parsing an HTTP message. Bro supports persistent ## and pipelined HTTP sessions and raises corresponding events as it parses ## client/server dialogues. A "message" is one top-level HTTP entity, such as a ## complete request or reply. Each message can have further nested sub-entities ## inside. This event is raised once all sub-entities belonging to a top-level ## message have been processed (and their corresponding ``http_entity_*`` events ## generated). ## ## See `Wikipedia `__ for ## more information about the HTTP protocol. ## ## c: The connection. ## ## is_orig: True if the entity was was sent by the originator of the TCP ## connection. ## ## stat: Further meta information about the message. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_reply http_request http_stats event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body"; ## Generated for errors found when decoding HTTP requests or replies. ## ## See `Wikipedia `__ for ## more information about the HTTP protocol. ## ## c: The connection. ## ## event_type: A string describing the general category of the problem found (e.g., ## ``illegal format``). ## ## detail: Further more detailed description of the error. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_header http_message_done http_reply http_request ## http_stats mime_event event http_event%(c: connection, event_type: string, detail: string%); ## Generated at the end of an HTTP session to report statistics about it. This ## event is raised after all of an HTTP session's requests and replies have been ## fully processed. ## ## c: The connection. ## ## stats: Statistics summarizing HTTP-level properties of the finished connection. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_reply ## http_request event http_stats%(c: connection, stats: http_stats_rec%); ## Generated when seeing an SSH client's version identification. The SSH protocol ## starts with a clear-test handshake message that reports client and server ## protocol/software versions. This event provides access to what the client ## sent. ## ## ## See `Wikipedia `__ for more ## information about the SSH protocol. ## ## c: The connection. ## ## version: The version string the client sent (e.g., `SSH-2.0-libssh-0.11`). ## ## .. bro:see:: ssh_server_version ## ## .. note:: As everything after the initial version handshake proceeds encrypted, ## Bro cannot further analyze SSH sessions. event ssh_client_version%(c: connection, version: string%); ## Generated when seeing an SSH server's version identification. The SSH protocol ## starts with a clear-test handshake message that reports client and server ## protocol/software versions. This event provides access to what the server ## sent. ## ## See `Wikipedia `__ for more ## information about the SSH protocol. ## ## c: The connection. ## ## version: The version string the server sent (e.g., ## ``SSH-1.99-OpenSSH_3.9p1``). ## ## .. bro:see:: ssh_client_version ## ## .. note:: As everything coming after the initial version handshake proceeds ## encrypted, Bro cannot further analyze SSH sessions. event ssh_server_version%(c: connection, version: string%); ## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions ## start with an unencrypted handshake, and Bro extracts as much information out ## that it as it can. This event provides access to the initial information sent by ## the client. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. ## ## c: The connection. ## ## version: The protocol version as extracted from the client's ## message. The values are standardized as part of the SSL/TLS protocol. The ## :bro:id:`SSL::version_strings` table maps them to descriptive names. ## ## possible_ts: The current time as sent by the client. Note that SSL/TLS does not ## require clocks to be set correctly, so treat with care. ## ## session_id: The session ID sent by the client (if any). ## ## ciphers: The list of ciphers the client offered to use. The values are ## standardized as part of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table ## maps them to descriptive names. ## ## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension ## ssl_max_cipherspec_size event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%); ## Generated for an SSL/TLS servers's initial *hello* message. SSL/TLS sessions ## start with an unencrypted handshake, and Bro extracts as much information out ## of that as it can. This event provides access to the initial information sent by ## the client. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. ## ## c: The connection. ## ## version: The protocol version as extracted from the servers's message. ## The values are standardized as part of the SSL/TLS protocol. The ## :bro:id:`SSL::version_strings` table maps them to descriptive names. ## ## possible_ts: The current time as sent by the server. Note that SSL/TLS does not ## require clocks to be set correctly, so treat with care. ## ## session_id: The session ID as sent back by the server (if any). ## ## cipher: The cipher chosen by the server. The values are standardized as part ## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps them to ## descriptive names. ## ## comp_method: The compression method chosen by the client. The values are ## standardized as part of the SSL/TLS protocol. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension ## ssl_max_cipherspec_size event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%); ## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS sessions ## start with an unencrypted handshake, and Bro extracts as much information out of ## that as it can. This event provides access to any extensions either side sents ## as part of extended *hello* message. ## ## c: The connection. ## ## is_orig: True if event is raised for originator side of the connection. ## ## code: The numerical code of the extension. The values are standardized as ## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps them to ## descriptive names. ## ## val: The raw extension value that was sent in the message. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## an unencrypted handshake, and Bro extracts as much information out of that as ## it can. This event signals the time when an SSL/TLS has finished the handshake ## and its endpoints consider it as fully established. Typically, everything from ## now on will be encrypted. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. ## ## c: The connection. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_established%(c: connection%); ## Generated for SSL/TLS alert records. SSL/TLS sessions start with an unencrypted ## handshake, and Bro extracts as much information out of that as it can. If during ## that handshake, an endpoint encounteres a fatal error, it sends an *alert* ## record, that it turns triggers this event. After an *alert*, any endpoint ## may close the connection immediately. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. ## ## c: The connection. ## ## is_orig: True if event is raised for originator side of the connection. ## ## level: The severity level, as sent in the *alert*. The values are defined as ## part of the SSL/TLS protocol. ## ## desc: A numerical value identifying the cause of the *alert*. The values are ## defined as part of the SSL/TLS protocol. ## ## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); ## Generated for SSL/TLS handshake messages that are a part of the stateless-server ## session resumption mechanism. SSL/TLS sessions start with an unencrypted ## handshake, and Bro extracts as much information out of that as it can. This ## event is raised when an SSL/TLS server passes session ticket to the client that ## can later be used for resuming the session. The mechanism is described in ## :rfc:`4507` ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. ## ## c: The connection. ## ## ticket_lifetime_hint: A hint from the server about how long the ticket ## should be stored by the client. ## ## ticket: The raw ticket data. ## ## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## x509_certificate x509_error x509_extension ssl_alert event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%); ## Generated for x509 certificates seen in SSL/TLS connections. During the initial ## SSL/TLS handshake, certificates are exchanged in the clear. Bro raises this ## event for each certificate seen (including both a site's primary cert, and ## further certs sent as part of the validation chain). ## ## See `Wikipedia `__ for more information about ## the X.509 format. ## ## c: The connection. ## ## is_orig: True if event is raised for originator side of the connection. ## ## cert: The parsed certificate. ## ## chain_idx: The index in the validation chain that this cert has. Index zero ## indicates an endpoints primary cert, while higher indices ## indicate the place in the validation chain (which has length ## *chain_len*). ## ## chain_len: The total length of the validation chain that this cert is part ## of. ## ## der_cert: The complete cert encoded in `DER ## `__ format. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_server_hello x509_error x509_extension x509_verify event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%); ## Generated for X.509 extensions seen in a certificate. ## ## See `Wikipedia `__ for more information about ## the X.509 format. ## ## c: The connection. ## ## is_orig: True if event is raised for originator side of the connection. ## ## data: The raw data associated with the extension. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_server_hello x509_certificate x509_error x509_verify event x509_extension%(c: connection, is_orig: bool, data: string%); ## Generated when errors occur during parsing an X.509 certificate. ## ## See `Wikipedia `__ for more information about ## the X.509 format. ## ## c: The connection. ## ## is_orig: True if event is raised for originator side of the connection. ## ## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` maps ## error codes to a textual description. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_server_hello x509_certificate x509_extension x509_err2str x509_verify event x509_error%(c: connection, is_orig: bool, err: count%); ## TODO. ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); ## TODO. ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dce_rpc_bind%(c: connection, uuid: string%); ## TODO. ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dce_rpc_request%(c: connection, opnum: count, stub: string%); ## TODO. ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message ## dce_rpc_request rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dce_rpc_response%(c: connection, opnum: count, stub: string%); ## TODO. ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message ## dce_rpc_request dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); ## Generated for NCP requests (Netware Core Protocol). ## ## See `Wikipedia `__ for more ## information about the NCP protocol. ## ## c: The connection. ## ## frame_type: The frame type, as specified by the protocol. ## ## length: The length of the request body, excluding the frame header, ## ## func: The requested function, as specified by the protocol. ## ## .. bro:see:: ncp_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event ncp_request%(c: connection, frame_type: count, length: count, func: count%); ## Generated for NCP replies (Netware Core Protocol). ## ## See `Wikipedia `__ for more ## information about the NCP protocol. ## ## c: The connection. ## ## frame_type: The frame type, as specified by the protocol. ## ## length: The length of the request body, excluding the frame header, ## ## req_frame: The frame type from the corresponding request. ## ## req_frame: The function code from the corresponding request. ## ## completion_code: The replie's completion code, as specified by the protocol. ## ## .. bro:see:: ncp_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%); ## Generated for client-side commands on POP3 connections. ## ## See `Wikipedia `__ for more information about ## the POP3 protocol. ## ## c: The connection. ## ## is_orig: True if the command was sent by the originator of the TCP connection. ## ## command: The command sent. ## ## arg: The argument to the command. ## ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply ## pop3_terminate pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_request%(c: connection, is_orig: bool, command: string, arg: string%); ## Generated for server-side replies to commands on POP3 connections. ## ## See `Wikipedia `__ for more information about ## the POP3 protocol. ## ## c: The connection. ## ## is_orig: True if the command was sent by the originator of the TCP connection. ## ## cmd: The success indicator sent by the server. This corresponds to the ## first token on the line sent, and should be either ``OK`` or ``ERR``. ## ## msg: The textual description the server sent along with *cmd*. ## ## arg: The argument to the command. ## ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request ## pop3_terminate pop3_unexpected ## ## .. todo: This event is receiving odd parameters, should unify. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## Generated for server-side multi-lines responses on POP3 connections. POP3 ## connection use multi-line responses to send buld data, such as the actual ## mails. This event is generated once for each line that's part of such a ## response. ## ## See `Wikipedia `__ for more information about ## the POP3 protocol. ## ## c: The connection. ## ## is_orig: True if the data was sent by the originator of the TCP connection. ## ## data: The data sent. ## ## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request ## pop3_terminate pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_data%(c: connection, is_orig: bool, data: string%); ## Generated for errors encountered on POP3 sessions. If the POP3 analyzers finds ## state transition that do not confirm to the protocol specification, or other ## situations it can't handle, it raises this event. ## ## See `Wikipedia `__ for more information about ## the POP3 protocol. ## ## c: The connection. ## ## is_orig: True if the data was sent by the originator of the TCP connection. ## ## msg: A textual description of the situation. ## ## detail: The input that triggered the event. ## ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request ## pop3_terminate ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); ## Generated when POP3 connection go encrypted. While POP3 is by default a ## clear-text protocol, extensions exist to switch to encryption. This event is ## generated if that happens and the analyzers then stops processing the ## connection. ## ## See `Wikipedia `__ for more information about ## the POP3 protocol. ## ## c: The connection. ## ## is_orig: Always false. ## ## msg: A descriptive message why processing was stopped. ## ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request ## pop3_unexpected ## ## .. note:: Currently, only the ``STARTLS`` command is recognized and ## triggers this. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_terminate%(c: connection, is_orig: bool, msg: string%); ## Generated for successful authentications on POP3 connections. ## ## See `Wikipedia `__ for more information about ## the POP3 protocol. ## ## c: The connection. ## ## is_orig: Always false. ## ## user: The user name used for authentication. The event is only generated if ## a non-empty user name was used. ## ## password: The password used for authentication. ## ## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request pop3_terminate ## pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_login_success%(c: connection, is_orig: bool, user: string, password: string%); ## Generated for unsuccessful authentications on POP3 connections. ## ## See `Wikipedia `__ for more information about ## the POP3 protocol. ## ## c: The connection. ## ## is_orig: Always false. ## ## user: The user name attempted for authentication. The event is only generated if ## a non-empty user name was used. ## ## password: The password attempted for authentication. ## ## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request pop3_terminate ## pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_login_failure%(c: connection, is_orig: bool, user: string, password: string%); ## Generated for all client-side IRC commands. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: Always true. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## command: The command. ## ## arguments: The arguments for the command. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message ## ## .. note:: This event is generated only for message that originate at the ## clients-side. Commands coming in from remote trigger the ge:bro:id:`irc_message` ## event instead. event irc_request%(c: connection, is_orig: bool, prefix: string, command: string, arguments: string%); ## Generated for all IRC replies. IRC replies are sent in response to a ## request and come with a reply code. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## prefix: The optional prefix comming with the reply. IRC uses the prefix to ## indicate the true origin of a message. ## ## code: The reply code, as specified by the protocol. ## ## params: The reply's parameters. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_reply%(c: connection, is_orig: bool, prefix: string, code: count, params: string%); ## Generated for IRC commands forwarded from the server to the client. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: Always false. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## command: The command. ## ## arguments: The arguments for the command. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message ## ## .. note:: ## ## This event is generated only for messages that are forwarded by the server ## to the client. Commands coming from client trigger the :bro:id:`irc_request` ## event instead. event irc_message%(c: connection, is_orig: bool, prefix: string, command: string, message: string%); ## Generated for IRC messages of type *quit*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## nick: The nick name coming with the message. ## ## message: The text included with the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%); ## Generated for IRC messages of type *privmsg*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## source: The source of the private communication. ## ## target: The target of the private communication. ## ## message: The text of communication. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_privmsg_message%(c: connection, is_orig: bool, source: string, target: string, message: string%); ## Generated for IRC messages of type *notice*. This event is generated for ## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## source: The source of the private communication. ## ## target: The target of the private communication. ## ## message: The text of communication. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_notice_message%(c: connection, is_orig: bool, source: string, target: string, message: string%); ## Generated for IRC messages of type *squery*. This event is generated for ## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## source: The source of the private communication. ## ## target: The target of the private communication. ## ## message: The text of communication. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_squery_message%(c: connection, is_orig: bool, source: string, target: string, message: string%); ## Generated for IRC messages of type *join*. This event is generated for ## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## info_list: The user information coming with the command. ## ## message: The text of communication. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%); ## Generated for IRC messages of type *part*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## nick: The nickname coming with the message. ## ## chans: The set of channels affected. ## ## message: The text coming with the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_password_message event irc_part_message%(c: connection, is_orig: bool, nick: string, chans: string_set, message: string%); ## Generated for IRC messages of type *nick*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## who: The user changing its nickname. ## ## newnick: The new nickname. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%); ## Generated when a server rejects an IRC nickname. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_invalid_nick%(c: connection, is_orig: bool%); ## Generated for an IRC reply of type *luserclient*. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## users: The number of users as returned in the reply. ## ## services: The number of services as returned in the reply. ## ## servers: The number of servers as returned in the reply. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_network_info%(c: connection, is_orig: bool, users: count, services: count, servers: count%); ## Generated for an IRC reply of type *luserme*. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## users: The number of users as returned in the reply. ## ## services: The number of services as returned in the reply. ## ## servers: The number of servers as returned in the reply. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_server_info%(c: connection, is_orig: bool, users: count, services: count, servers: count%); ## Generated for an IRC reply of type *luserchannels*. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## chans: The number of channels as returned in the reply. ## ## .. bro:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_channel_info%(c: connection, is_orig: bool, chans: count%); ## Generated for an IRC reply of type *whoreply*. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## target_nick: The target nick name. ## ## channel: The channel. ## ## user: The user. ## ## host: The host. ## ## server: The server. ## ## nick: The nick name. ## ## params: The parameters. ## ## hops: The hop count. ## ## real_name: The real name. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_who_line%(c: connection, is_orig: bool, target_nick: string, channel: string, user: string, host: string, server: string, nick: string, params: string, hops: count, real_name: string%); ## Generated for an IRC reply of type *namereply*. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## c_type: The channel type. ## ## channel: The channel. ## ## users: The set of users. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_names_info%(c: connection, is_orig: bool, c_type: string, channel: string, users: string_set%); ## Generated for an IRC reply of type *whoisoperator*. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## nick: The nick name specified in the reply. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); ## Generated for an IRC reply of type *whoischannels*. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## nick: The nick name specified in the reply. ## ## chans: The set of channels returned. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, chans: string_set%); ## Generated for an IRC reply of type *whoisuser*. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## nick: The nick name specified in the reply. ## ## user: The user name specified in the reply. ## ## host: The host name specified in the reply. ## ## user: The user name specified in the reply. ## ## real_name: The real name specified in the reply. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, user: string, host: string, real_name: string%); ## Generated for IRC replies of type *youreoper* and *nooperhost*. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## got_oper: True if the *oper* command was executed successfully ## (*youreport*) and false otherwise (*nooperhost*). ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_part_message ## irc_password_message event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); ## Generated for an IRC reply of type *globalusers*. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## msg: The message coming with the reply. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%); ## Generated for an IRC reply of type *topic*. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## channel: The channel name specified in the reply. ## ## topic: The topic specified in the reply. ## ## .. bro:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%); ## Generated for IRC messages of type *who*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## is_orig: True if the command what sent by the originator of the TCP connection. ## ## mask: The mask specified in the message. ## ## oper: True if the operator flag was set. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); ## Generated for IRC messages of type *whois*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%); ## Generated for IRC messages of type *oper*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## user: The user specified in the message. ## ## password: The password specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_response irc_part_message ## irc_password_message event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%); ## Generated for IRC messages of type *kick*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## chans: The channels specified in the message. ## ## users: The users specified in the message. ## ## comment: The comment specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_kick_message%(c: connection, is_orig: bool, prefix: string, chans: string, users: string, comment: string%); ## Generated for IRC messages of type *error*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## message: The textual description specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%); ## Generated for IRC messages of type *invite*. This event is generated for ## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## nickname: The nick name specified in the message. ## ## channel: The channel specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_invite_message%(c: connection, is_orig: bool, prefix: string, nickname: string, channel: string%); ## Generated for IRC messages of type *mode*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## params: The parameters coming with the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%); ## Generated for IRC messages of type *squit*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## server: The server specified in the message. ## ## messate: The textual description specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_squit_message%(c: connection, is_orig: bool, prefix: string, server: string, message: string%); ## Generated for IRC messages of type *dcc*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## target: The target specified in the message. ## ## dcc_type: The DCC type specified in the message. ## ## argument: The argument specified in the message. ## ## address: The address specified in the message. ## ## dest_port: The destination port specified in the message. ## ## size: The size specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message ## irc_password_message event irc_dcc_message%(c: connection, is_orig: bool, prefix: string, target: string, dcc_type: string, argument: string, address: addr, dest_port: count, size: count%); ## Generated for IRC messages of type *user*. This event is generated for messages ## coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## user: The user specified in the message. ## ## host: The host name specified in the message. ## ## server: The server name specified in the message. ## ## real_name: The real name specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%); ## Generated for IRC messages of type *password*. This event is generated for ## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## ## password: The password specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message event irc_password_message%(c: connection, is_orig: bool, password: string%); ## TODO. ## ## .. bro:see:: event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); ## Generated for monitored Syslog messages. ## ## See `Wikipedia `__ for more ## information about the Syslog protocol. ## ## c: The connection record for the underlying transport-layer session/flow. ## ## facility: The "facility" included in the message. ## ## severity: The "severity" included in the message. ## ## msg: The message logged. ## ## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP syslog ## will be added soon. event syslog_message%(c: connection, facility: count, severity: count, msg: string%); ## Generated when a signature matches. Bro's signature engine provide ## high-performance pattern matching separately from the normal script processing. ## If a signature with an ``event`` action matches, this event is raised. ## ## See the :doc:`user manual ` for more information about Bro's ## signature engine. ## ## state: Context about the match, including which signatures triggered the ## event and the connection for which the match was found. ## ## msg: The message passed to the ``event`` signature action. ## ## data; The last chunk of input that triggered the match. Note that the specifics ## here are no well-defined as Bro does not buffer any input. If a match is split ## across packet boundaries, only the last chunk triggering the will be passed on ## to the event. event signature_match%(state: signature_state, msg: string, data: string%); ## Generated when a protocol analyzer finds an identification of a software ## used on a system. This is a protocol-independent event that is fed by ## different analyzers. For example, the HTTP analyzer reports user-agent and ## server software by raising this event, assuming it can parse it (if not, ## :bro:id:`software_parse_error` will be generated instead). ## ## c: The connection. ## ## host: The host running the reported software. ## ## s: A description of the software found. ## ## descr: The raw (unparsed) software identification string as extracted from the ## protocol. ## ## .. bro:see:: software_parse_error software_unparsed_version_found OS_version_found event software_version_found%(c: connection, host: addr, s: software, descr: string%); ## Generated when a protocol analyzer finds an identification of a software used on ## a system but cannot parse it. This is a protocol-independent event that is fed ## by different analyzers. For example, the HTTP analyzer reports user-agent and ## server software by raising this event if it cannot parse them directly (if canit ## :bro:id:`software_version_found` will be generated instead). ## ## c: The connection. ## ## host: The host running the reported software. ## ## descr: The raw (unparsed) software identification string as extracted from the ## protocol. ## ## .. bro:see:: software_version_found software_unparsed_version_found ## OS_version_found event software_parse_error%(c: connection, host: addr, descr: string%); ## Generated when a protocol analyzer finds an identification of a software ## used on a system. This is a protocol-independent event that is fed by ## different analyzers. For example, the HTTP analyzer reports user-agent and ## server software by raising this event. Different from ## :bro:id:`software_version_found` and :bro:id:`software_parse_error`, this ## event is always raised, independent of whether Bro can parse the version ## string. ## ## c: The connection. ## ## host: The host running the reported software. ## ## descr: The software identification string as extracted from the protocol. ## ## .. bro:see:: software_parse_error software_version_found OS_version_found event software_unparsed_version_found%(c: connection, host: addr, str: string%); ## Generated when an operating system has been fingerprinted. Bro uses `p0f ## `__ to fingerprint endpoints passively, ## and it raises this event for each system identified. The p0f fingerprints are ## defined by :bro:id:`passive_fingerprint_file`. ## ## .. bro:see:: passive_fingerprint_file software_parse_error ## software_version_found software_unparsed_version_found ## generate_OS_version_event event OS_version_found%(c: connection, host: addr, OS: OS_version%); ## Generated when a connection to a remote Bro has been established. This event ## is intended primarily for use by Bro's communication framework, but it can also ## trigger additional code if helpful. ## ## p: A record describing the peer. ## ## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_handshake_done remote_event_registered remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook event remote_connection_established%(p: event_peer%); ## Generated when a connection to a remote Bro has been closed. This event is ## intended primarily for use by Bro's communication framework, but it can ## also trigger additional code if helpful. ## ## p: A record describing the peer. ## ## .. bro:see:: remote_capture_filter remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook event remote_connection_closed%(p: event_peer%); ## Generated when a remote connection's initial handshake has been completed. This ## event is intended primarily for use by Bro's communication framework, but it can ## also trigger additional code if helpful. ## ## p: A record describing the peer. ## ## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_event_registered remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook event remote_connection_handshake_done%(p: event_peer%); ## Generated for each event registered by a remote peer. This event is intended ## primarily for use by Bro's communication framework, but it can also trigger ## additional code if helpful. ## ## p: A record describing the peer. ## ## .. bro:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook event remote_event_registered%(p: event_peer, name: string%); ## Generated when a connection to a remote Bro encountered an error. This event ## is intended primarily for use by Bro's communication framework, but it can also ## trigger additional code if helpful. ## ## p: A record describing the peer. ## ## reason: A textual description of the error. ## ## .. bro:see:: remote_capture_filter remote_connection_closed ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook event remote_connection_error%(p: event_peer, reason: string%); ## Generated when a remote peer sent us a capture filter. While this event is ## intended primarily for use by Bro's communication framework, it can also trigger ## additional code if helpful. ## ## p: A record describing the peer. ## ## filter: The filter string sent by the peer. ## ## .. bro:see:: remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook event remote_capture_filter%(p: event_peer, filter: string%); ## Generated after a call to :bro:id:`send_state` when all data has been ## successfully sent to the remote side. While this event is ## intended primarily for use by Bro's communication framework, it can also trigger ## additional code if helpful. ## ## p: A record describing the remote peer. ## ## .. bro:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_event_registered remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook event finished_send_state%(p: event_peer%); ## Generated if state synchronization detects an inconsistency. While this event ## is intended primarily for use by Bro's communication framework, it can also ## trigger additional code if helpful. This event is only raised if ## :bro:id:`remote_check_sync_consistency` is false. ## ## operation: The textual description of the state operation performed. ## ## id: The name of the Bro script identifier that was operated on. ## ## expected_old: A textual representation of the value of *id* that was expected to ## be found before the operation was carried out. ## ## real_old: A textual representation of the value of *id* that was actually found ## before the operation was carried out. The difference between ## *real_old* and *expected_old* is the inconsistency being reported. ## ## .. bro:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_event_registered remote_log remote_pong ## remote_state_access_performed print_hook remote_check_sync_consistency event remote_state_inconsistency%(operation: string, id: string, expected_old: string, real_old: string%); ## Generated for communication log messages. While this event is ## intended primarily for use by Bro's communication framework, it can also trigger ## additional code if helpful. ## ## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or ## :bro:id:`REMOTE_LOG_ERROR`. ## ## src: The component of the comminication system that logged the message. ## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's ## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or ## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). ## ## msg: The message logged. ## ## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook remote_log_peer event remote_log%(level: count, src: count, msg: string%); ## Generated for communication log messages. While this event is ## intended primarily for use by Bro's communication framework, it can also trigger ## additional code if helpful. This event is equivalent to ## :bro:see:`remote_log` except the message is with respect to a certain peer. ## ## p: A record describing the remote peer. ## ## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or ## :bro:id:`REMOTE_LOG_ERROR`. ## ## src: The component of the comminication system that logged the message. ## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's ## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or ## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). ## ## msg: The message logged. ## ## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook remote_log event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## Generated when a remote peer has answered to our ping. This event is part of ## Bro's infrastructure for measuring communication latency. One can send a ping ## by calling :bro:id:`send_ping` and when a corresponding reply is received, this ## event will be raised. ## ## p: The peer sending us the pong. ## ## seq: The sequence number passed to the original :bro:id:`send_ping` call. ## The number is sent back by the peer in its response. ## ## d1: The time interval between sending the ping and receiving the pong. This ## is the latency of the complete path. ## ## d2: The time interval between sending out the ping to the network and its ## reception at the peer. This is the network latency. ## ## d3: The time interval between when the peer's child process received the ## ping and when its parent process sent the pong. This is the ## processing latency at the the peer. ## ## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_state_access_performed ## remote_state_inconsistency print_hook event remote_pong%(p: event_peer, seq: count, d1: interval, d2: interval, d3: interval%); ## Generated each time a remote state access has been replayed locally. This event ## is primarily intended for debugging. measurments. ## ## id: The name of the Bro script variable that's being operated on. ## ## v: The new value of the variable. ## ## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_inconsistency ## print_hook event remote_state_access_performed%(id: string, v: any%); ## Generated each time Bro's internal profiling log is updated. The file is ## defined by :bro:id:`profiling_file`, and its update frequency by ## :bro:id:`profiling_interval` and :bro:id:`expensive_profiling_multiple`. ## ## f: The profiling file. ## ## expensive: True if this event corresponds to heavier-weight profiling as ## indicated by the :bro:id:`expensive_profiling_multiple` variable. ## ## .. bro:see:: profiling_interval expensive_profiling_multiple event profiling_update%(f: file, expensive: bool%); ## Generated each time Bro's script interpreter opens a file. This event is ## triggered only for files opened via :bro:id:`open`, and in particular not for ## normal log files as created by a log writers. ## ## f: The opened file. event file_opened%(f: file%); ## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises this ## event whenever it either receives a NetFlow header on the port it's listening ## on, or reads one from a trace file. ## ## h: The parsed NetFlow header. ## ## .. bro:see:: netflow_v5_record event netflow_v5_header%(h: nf_v5_header%); ## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises this ## event whenever it either receives a NetFlow record on the port it's listening ## on, or reads one from a trace file. ## ## h: The parsed NetFlow header. ## ## .. bro:see:: netflow_v5_record event netflow_v5_record%(r: nf_v5_record%); ## Raised for informational messages reported via Bro's reporter framework. Such ## messages may be generated internally by the event engine and also by other ## scripts calling :bro:id:`Reporter::info`. ## ## t: The time the message was passed to the reporter. ## ## msg: The message itself. ## ## location: A (potentially empty) string describing a location associated with the ## message. ## ## .. bro:see:: reporter_warning reporter_error Reporter::info Reporter::warning ## Reporter::error ## ## .. note:: Bro will not call reporter events recursively. If the handler of any ## reporter event triggers a new reporter message itself, the output will go to ## ``stderr`` instead. event reporter_info%(t: time, msg: string, location: string%) &error_handler; ## Raised for warnings reported via Bro's reporter framework. Such messages may ## be generated internally by the event engine and also by other scripts calling ## :bro:id:`Reporter::warning`. ## ## t: The time the warning was passed to the reporter. ## ## msg: The warning message. ## ## location: A (potentially empty) string describing a location associated with the ## warning. ## ## .. bro:see:: reporter_info reporter_error Reporter::info Reporter::warning ## Reporter::error ## ## .. note:: Bro will not call reporter events recursively. If the handler of any ## reporter event triggers a new reporter message itself, the output will go to ## ``stderr`` instead. event reporter_warning%(t: time, msg: string, location: string%) &error_handler; ## Raised for errors reported via Bro's reporter framework. Such messages may ## be generated internally by the event engine and also by other scripts calling ## :bro:id:`Reporter::error`. ## ## t: The time the error was passed to the reporter. ## ## msg: The error message. ## ## location: A (potentially empty) string describing a location associated with the ## error. ## ## .. bro:see:: reporter_info reporter_warning Reporter::info Reporter::warning ## Reporter::error ## ## .. note:: Bro will not call reporter events recursively. If the handler of any ## reporter event triggers a new reporter message itself, the output will go to ## ``stderr`` instead. event reporter_error%(t: time, msg: string, location: string%) &error_handler; ## Raised for each policy script loaded by the script interpreter. ## ## path: The full path to the script loaded. ## ## level: The "nesting level": zero for a top-level Bro script and incremented ## recursively for each ``@load``. event bro_script_loaded%(path: string, level: count%); ## Deprecated. Will be removed. event stp_create_endp%(c: connection, e: int, is_orig: bool%); # ##### Internal events. Not further documented. ## Event internal to the stepping stone detector. event stp_resume_endp%(e: int%); ## Event internal to the stepping stone detector. event stp_correlate_pair%(e1: int, e2: int%); ## Event internal to the stepping stone detector. event stp_remove_pair%(e1: int, e2: int%); ## Event internal to the stepping stone detector. event stp_remove_endp%(e: int%); # ##### Deprecated events. Proposed for removal. ## Deprecated. Will be removed. event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%); ## Deprecated. Will be removed. event interconn_remove_conn%(c: connection%); ## Deprecated. Will be removed. event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%); ## Deprecated. Will be removed. event backdoor_remove_conn%(c: connection%); ## Deprecated. Will be removed. event ssh_signature_found%(c: connection, is_orig: bool%); ## Deprecated. Will be removed. event telnet_signature_found%(c: connection, is_orig: bool, len: count%); ## Deprecated. Will be removed. event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%); ## Deprecated. Will be removed. event root_backdoor_signature_found%(c: connection%); ## Deprecated. Will be removed. event ftp_signature_found%(c: connection%); ## Deprecated. Will be removed. event napster_signature_found%(c: connection%); ## Deprecated. Will be removed. event gnutella_signature_found%(c: connection%); ## Deprecated. Will be removed. event kazaa_signature_found%(c: connection%); ## Deprecated. Will be removed. event http_signature_found%(c: connection%); ## Deprecated. Will be removed. event http_proxy_signature_found%(c: connection%); ## Deprecated. Will be removed. event smtp_signature_found%(c: connection%); ## Deprecated. Will be removed. event irc_signature_found%(c: connection%); ## Deprecated. Will be removed. event gaobot_signature_found%(c: connection%); ## Deprecated. Will be removed. ## ## .. todo:: Unclear what this event is for; it's never raised. We should just ## remove it. event dns_full_request%(%) &group="dns"; ## Deprecated. Will be removed. event anonymization_mapping%(orig: addr, mapped: addr%); ## Deprecated. Will be removed. event rotate_interval%(f: file%); ## Deprecated. Will be removed. event rotate_size%(f: file%); ## Deprecated. Will be removed. event print_hook%(f:file, s: string%);