event bro_init%(%); event bro_done%(%); event dns_mapping_valid%(dm: dns_mapping%); event dns_mapping_unverified%(dm: dns_mapping%); event dns_mapping_new_name%(dm: dns_mapping%); event dns_mapping_lost_name%(dm: dns_mapping%); event dns_mapping_name_changed%(old_dm: dns_mapping, new_dm: dns_mapping%); event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); event new_connection%(c: connection%); event new_connection_contents%(c: connection%); event new_packet%(c: connection, p: pkt_hdr%); event connection_attempt%(c: connection%); event connection_established%(c: connection%); event partial_connection%(c: connection%); event connection_partial_close%(c: connection%); event connection_finished%(c: connection%); event connection_half_finished%(c: connection%); event connection_rejected%(c: connection%); event connection_reset%(c: connection%); event connection_pending%(c: connection%); event connection_state_remove%(c: connection%); event connection_SYN_packet%(c: connection, pkt: SYN_packet%); event connection_first_ACK%(c: connection%); event connection_timeout%(c: connection%); event connection_reused%(c: connection%); event connection_status_update%(c: connection%); event connection_EOF%(c: connection, is_orig: bool%); event connection_external%(c: connection, tag: string%); event expected_connection_seen%(c: connection, a: count%); event protocol_confirmation%(c: connection, atype: count, aid: count%); event protocol_violation%(c: connection, atype: count, aid: count, reason: string%); event packet_contents%(c: connection, contents: string%); event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%); event udp_request%(u: connection%); event udp_reply%(u: connection%); event udp_contents%(u: connection, is_orig: bool, contents: string%); event udp_session_done%(u: connection%); event icmp_sent%(c: connection, icmp: icmp_conn%); event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); event icmp_redirect%(c: connection, icmp: icmp_conn, a: addr%); event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); event conn_weird%(name: string, c: connection, addl: string%); event flow_weird%(name: string, src: addr, dst: addr%); event net_weird%(name: string%); event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%); event rexmit_inconsistency%(c: connection, t1: string, t2: string%); event ack_above_hole%(c: connection%); event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); event gap_report%(dt: interval, info: gap_info%); event inconsistent_option%(c: connection%); event bad_option%(c: connection%); event bad_option_termination%(c: connection%); event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string%); event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string%); event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%); event bittorrent_peer_handshake%(c: connection, is_orig: bool, reserved: string, info_hash: string, peer_id: string%); event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); event bittorrent_peer_choke%(c: connection, is_orig: bool%); event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); event bittorrent_peer_interested%(c: connection, is_orig: bool%); event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%); event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, begin: count, length: count%); event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, begin: count, piece_length: count%); event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, begin: count, length: count%); event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, data: string%); event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); event bt_tracker_request%(c: connection, uri: string, headers: bt_tracker_headers%); event bt_tracker_response%(c: connection, status: count, headers: bt_tracker_headers, peers: bittorrent_peer_set, benc: bittorrent_benc_dir%); event bt_tracker_response_not_ok%(c: connection, status: count, headers: bt_tracker_headers%); event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%); event finger_request%(c: connection, full: bool, username: string, hostname: string%); event finger_reply%(c: connection, reply_line: string%); event gnutella_text_msg%(c: connection, orig: bool, headers: string%); event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, ttl: count, hops: count, msg_len: count, payload: string, payload_len: count, trunc: bool, complete: bool%); event gnutella_partial_binary_msg%(c: connection, orig: bool, msg: string, len: count%); event gnutella_establish%(c: connection%); event gnutella_not_establish%(c: connection%); event gnutella_http_notify%(c: connection%); event ident_request%(c: connection, lport: port, rport: port%); event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%); event ident_error%(c: connection, lport: port, rport: port, line: string%); event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); event login_input_line%(c: connection, line: string%); event login_output_line%(c: connection, line: string%); event login_confused%(c: connection, msg: string, line: string%); event login_confused_text%(c: connection, line: string%); event login_terminal%(c: connection, terminal: string%); event login_display%(c: connection, display: string%); event login_prompt%(c: connection, prompt: string%); event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%); event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%); event excessive_line%(c: connection%); event authentication_accepted%(name: string, c: connection%); event authentication_rejected%(name: string, c: connection%); event authentication_skipped%(c: connection%); event activating_encryption%(c: connection%); event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &group="ftp"; event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) &group="smtp"; event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%) &group="smtp"; event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp"; event mime_begin_entity%(c: connection%); event mime_next_entity%(c: connection%); event mime_end_entity%(c: connection%); event mime_one_header%(c: connection, h: mime_header_rec%); event mime_all_headers%(c: connection, hlist: mime_header_list%); event mime_segment_data%(c: connection, length: count, data: string%); event mime_entity_data%(c: connection, length: count, data: string%); event mime_all_data%(c: connection, length: count, data: string%); event mime_event%(c: connection, event_type: string, detail: string%); event mime_content_hash%(c: connection, content_len: count, hash_value: string%); # Generated for each RPC request / reply *pair* (if there is no reply, the event # will be generated on timeout). event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); # Generated for each (correctly formed) RPC_CALL message received. event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); # Generated for each (correctly formed) RPC_REPLY message received. event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); event pm_request_null%(r: connection%); event pm_request_set%(r: connection, m: pm_mapping, success: bool%); event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); event pm_request_dump%(r: connection, m: pm_mappings%); event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); event pm_attempt_null%(r: connection, status: rpc_status%); event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%); event pm_attempt_dump%(r: connection, status: rpc_status%); event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); event pm_bad_port%(r: connection, bad_p: count%); # Events for the NFS analyzer. An event is generated if we have received a # Call (request) / Response pair (or in case of a time out). info$rpc_stat and # info$nfs_stat show whether the request was successful. The request record is # always filled out, however, the reply record(s) might not be set or might only # be partially set. See the comments for the record types in bro.init to see which # reply fields are set when. event nfs_proc_null%(c: connection, info: NFS3::info_t%); event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); # Generated for each NFS reply message we receive, giving just gives the status. event nfs_reply_status%(n: connection, info: NFS3::info_t%); event ntp_message%(u: connection, msg: ntp_msg, excess: string%); event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); event netbios_session_request%(c: connection, msg: string%); event netbios_session_accepted%(c: connection, msg: string%); event netbios_session_rejected%(c: connection, msg: string%); event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); event netbios_session_ret_arg_resp%(c: connection, msg: string%); event netbios_session_keepalive%(c: connection, msg: string%); event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%); event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%); event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%); event smb_com_negotiate%(c: connection, hdr: smb_hdr%); event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%); event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); event smb_com_close%(c: connection, hdr: smb_hdr%); event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%); event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &group="dns"; event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; event dns_full_request%(%) &group="dns"; event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns"; event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr, astr: string%) &group="dns"; event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns"; event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns"; event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns"; event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; event dns_EDNS%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns"; event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &group="dns"; # Generated at the end of processing a DNS packet. event dns_end%(c: connection, msg: dns_msg%) &group="dns"; event dns_query_reply%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; # Generated when a port 53 UDP message cannot be parsed as a DNS request. event non_dns_request%(c: connection, msg: string%) &group="dns"; event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%); event dhcp_decline%(c: connection, msg: dhcp_msg%); event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); event dhcp_nak%(c: connection, msg: dhcp_msg%); event dhcp_release%(c: connection, msg: dhcp_msg%); event dhcp_inform%(c: connection, msg: dhcp_msg%); event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request"; event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply"; event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header"; event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header"; event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body"; event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body"; event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body"; event http_event%(c: connection, event_type: string, detail: string%); event http_stats%(c: connection, stats: http_stats_rec%); event ssh_client_version%(c: connection, version: string%); event ssh_server_version%(c: connection, version: string%); event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%); event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%); event ssl_extension%(c: connection, code: count, val: string%); event ssl_established%(c: connection%); event ssl_alert%(c: connection, level: count, desc: count%); event x509_certificate%(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string%); event x509_extension%(c: connection, data: string%); event x509_error%(c: connection, err: count%); event stp_create_endp%(c: connection, e: int, is_orig: bool%); event stp_resume_endp%(e: int%); event stp_correlate_pair%(e1: int, e2: int%); event stp_remove_pair%(e1: int, e2: int%); event stp_remove_endp%(e: int%); event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); event dce_rpc_bind%(c: connection, uuid: string%); event dce_rpc_request%(c: connection, opnum: count, stub: string%); event dce_rpc_response%(c: connection, opnum: count, stub: string%); # DCE/RPC endpoint mapper events. event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); # "length" is the length of body (not including the frame header) event ncp_request%(c: connection, frame_type: count, length: count, func: count%); event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%); event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%); event interconn_remove_conn%(c: connection%); event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%); event backdoor_remove_conn%(c: connection%); event ssh_signature_found%(c: connection, is_orig: bool%); event telnet_signature_found%(c: connection, is_orig: bool, len: count%); event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%); event root_backdoor_signature_found%(c: connection%); event ftp_signature_found%(c: connection%); event napster_signature_found%(c: connection%); event gnutella_signature_found%(c: connection%); event kazaa_signature_found%(c: connection%); event http_signature_found%(c: connection%); event http_proxy_signature_found%(c: connection%); event smtp_signature_found%(c: connection%); event irc_signature_found%(c: connection%); event gaobot_signature_found%(c: connection%); event pop3_request%(c: connection, is_orig: bool, command: string, arg: string%); event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); event pop3_data%(c: connection, is_orig: bool, data: string%); event pop3_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); event pop3_terminate%(c: connection, is_orig: bool, msg: string%); event pop3_login_success%(c: connection, is_orig: bool, user: string, password: string%); event pop3_login_failure%(c: connection, is_orig: bool, user: string, password: string%); event irc_request%(c: connection, is_orig: bool, prefix: string, command: string, arguments: string%); event irc_reply%(c: connection, is_orig: bool, prefix: string, code: count, params: string%); event irc_message%(c: connection, is_orig: bool, prefix: string, command: string, message: string%); event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%); event irc_privmsg_message%(c: connection, is_orig: bool, source: string, target: string, message: string%); event irc_notice_message%(c: connection, is_orig: bool, source: string, target: string, message: string%); event irc_squery_message%(c: connection, is_orig: bool, source: string, target: string, message: string%); event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%); event irc_part_message%(c: connection, is_orig: bool, nick: string, chans: string_set, message: string%); event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%); event irc_invalid_nick%(c: connection, is_orig: bool%); event irc_network_info%(c: connection, is_orig: bool, users: count, services: count, servers: count%); event irc_server_info%(c: connection, is_orig: bool, users: count, services: count, servers: count%); event irc_channel_info%(c: connection, is_orig: bool, chans: count%); event irc_who_line%(c: connection, is_orig: bool, target_nick: string, channel: string, user: string, host: string, server: string, nick: string, params: string, hops: count, real_name: string%); event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%); event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, user: string, host: string, real_name: string%); event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, chans: string_set%); event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%); event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); event irc_kick_message%(c: connection, is_orig: bool, prefix: string, chans: string, users: string, comment: string%); event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%); event irc_invite_message%(c: connection, is_orig: bool, prefix: string, nickname: string, channel: string%); event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%); event irc_squit_message%(c: connection, is_orig: bool, prefix: string, server: string, message: string%); event irc_names_info%(c: connection, is_orig: bool, c_type: string, channel: string, users: string_set%); event irc_dcc_message%(c: connection, is_orig: bool, prefix: string, target: string, dcc_type: string, argument: string, address: addr, dest_port: count, size: count%); event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%); event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%); event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%); event irc_password_message%(c: connection, is_orig: bool, password: string%); event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); event file_virus%(c: connection, virname: string%); event syslog_message%(c: connection, facility: count, severity: count, msg: string%); event signature_match%(state: signature_state, msg: string, data: string%); # Generated if a handler finds an identification of the software # used on a system. event software_version_found%(c: connection, host: addr, s: software, descr: string%); # Generated if a handler finds a version but cannot parse it. event software_parse_error%(c: connection, host: addr, descr: string%); # Generated once for each raw (unparsed) software identification. event software_unparsed_version_found%(c: connection, host: addr, str: string%); # Generated when an operating system has been fingerprinted. event OS_version_found%(c: connection, host: addr, OS: OS_version%); # Generated when an IP address gets mapped for the first time. event anonymization_mapping%(orig: addr, mapped: addr%); # Generated when a connection to a remote Bro has been established. event remote_connection_established%(p: event_peer%); # Generated when a connection to a remote Bro has been closed. event remote_connection_closed%(p: event_peer%); # Generated when a remote connection's handshake has been completed. event remote_connection_handshake_done%(p: event_peer%); # Generated for each event registered by a remote peer. event remote_event_registered%(p: event_peer, name: string%); # Generated when a connection to a remote Bro causes some error. event remote_connection_error%(p: event_peer, reason: string%); # Generated when a remote peer sends us some capture filter. event remote_capture_filter%(p: event_peer, filter: string%); # Generated after a call to send_state() when all data has been successfully # sent to the remote side. event finished_send_state%(p: event_peer%); # Generated if state synchronization detects an inconsistency. event remote_state_inconsistency%(operation: string, id: string, expected_old: string, real_old: string%); # Generated for communication log message. event remote_log%(level: count, src: count, msg: string%); # Generated when a remote peer has answered to our ping. event remote_pong%(p: event_peer, seq: count, d1: interval, d2: interval, d3: interval%); # Generated each time a remote state access has been replayed locally # (primarily for debugging). event remote_state_access_performed%(id: string, v: any%); # Generated each time profiling_file is updated. "expensive" means that # this event corresponds to heavier-weight profiling as indicated by the # expensive_profiling_multiple variable. event profiling_update%(f: file, expensive: bool%); event file_opened%(f: file%); # Each print statement generates an event. event print_hook%(f:file, s: string%); # Generated for &rotate_interval. event rotate_interval%(f: file%); # Generated for &rotate_size. event rotate_size%(f: file%); event netflow_v5_header%(h: nf_v5_header%); event netflow_v5_record%(r: nf_v5_record%); # Different types of reporter messages. These won't be called # recursively. event reporter_info%(t: time, msg: string, location: string%) &error_handler; event reporter_warning%(t: time, msg: string, location: string%) &error_handler; event reporter_error%(t: time, msg: string, location: string%) &error_handler; # Raised for each policy script loaded. event bro_script_loaded%(path: string, level: count%);