mirror of
https://github.com/zeek/zeek.git
synced 2025-10-15 21:18:20 +00:00
7e9d48f532
The broxygen-generated files now live in the git repo, have tests that check that they are up-to-date, and a script to re-generate them on-demand.
838 lines
32 KiB
ReStructuredText
838 lines
32 KiB
ReStructuredText
:tocdepth: 3
|
|
|
|
base/bif/plugins/Bro_DNS.events.bif.bro
|
|
=======================================
|
|
.. bro:namespace:: GLOBAL
|
|
|
|
|
|
:Namespace: GLOBAL
|
|
|
|
Summary
|
|
~~~~~~~
|
|
Events
|
|
######
|
|
============================================== ================================================================================
|
|
:bro:id:`dns_A6_reply`: :bro:type:`event` Generated for DNS replies of type *A6*.
|
|
:bro:id:`dns_AAAA_reply`: :bro:type:`event` Generated for DNS replies of type *AAAA*.
|
|
:bro:id:`dns_A_reply`: :bro:type:`event` Generated for DNS replies of type *A*.
|
|
:bro:id:`dns_CAA_reply`: :bro:type:`event` Generated for DNS replies of type *CAA* (Certification Authority Authorization).
|
|
:bro:id:`dns_CNAME_reply`: :bro:type:`event` Generated for DNS replies of type *CNAME*.
|
|
:bro:id:`dns_DNSKEY`: :bro:type:`event` Generated for DNS replies of type *DNSKEY*.
|
|
:bro:id:`dns_DS`: :bro:type:`event` Generated for DNS replies of type *DS*.
|
|
:bro:id:`dns_EDNS_addl`: :bro:type:`event` Generated for DNS replies of type *EDNS*.
|
|
:bro:id:`dns_HINFO_reply`: :bro:type:`event` Generated for DNS replies of type *HINFO*.
|
|
:bro:id:`dns_MX_reply`: :bro:type:`event` Generated for DNS replies of type *MX*.
|
|
:bro:id:`dns_NSEC`: :bro:type:`event` Generated for DNS replies of type *NSEC*.
|
|
:bro:id:`dns_NSEC3`: :bro:type:`event` Generated for DNS replies of type *NSEC3*.
|
|
:bro:id:`dns_NS_reply`: :bro:type:`event` Generated for DNS replies of type *NS*.
|
|
:bro:id:`dns_PTR_reply`: :bro:type:`event` Generated for DNS replies of type *PTR*.
|
|
:bro:id:`dns_RRSIG`: :bro:type:`event` Generated for DNS replies of type *RRSIG*.
|
|
:bro:id:`dns_SOA_reply`: :bro:type:`event` Generated for DNS replies of type *CNAME*.
|
|
:bro:id:`dns_SRV_reply`: :bro:type:`event` Generated for DNS replies of type *SRV*.
|
|
:bro:id:`dns_TSIG_addl`: :bro:type:`event` Generated for DNS replies of type *TSIG*.
|
|
:bro:id:`dns_TXT_reply`: :bro:type:`event` Generated for DNS replies of type *TXT*.
|
|
:bro:id:`dns_WKS_reply`: :bro:type:`event` Generated for DNS replies of type *WKS*.
|
|
:bro:id:`dns_end`: :bro:type:`event` Generated at the end of processing a DNS packet.
|
|
:bro:id:`dns_full_request`: :bro:type:`event` Deprecated.
|
|
:bro:id:`dns_message`: :bro:type:`event` Generated for all DNS messages.
|
|
:bro:id:`dns_query_reply`: :bro:type:`event` Generated for each entry in the Question section of a DNS reply.
|
|
:bro:id:`dns_rejected`: :bro:type:`event` Generated for DNS replies that reject a query.
|
|
:bro:id:`dns_request`: :bro:type:`event` Generated for DNS requests.
|
|
:bro:id:`dns_unknown_reply`: :bro:type:`event` Generated on DNS reply resource records when the type of record is not one
|
|
that Bro knows how to parse and generate another more specific event.
|
|
:bro:id:`non_dns_request`: :bro:type:`event` msg: The raw DNS payload.
|
|
============================================== ================================================================================
|
|
|
|
|
|
Detailed Interface
|
|
~~~~~~~~~~~~~~~~~~
|
|
Events
|
|
######
|
|
.. bro:id:: dns_A6_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, a: :bro:type:`addr`)
|
|
|
|
Generated for DNS replies of type *A6*. For replies with multiple answers, an
|
|
individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:a: The address returned by the reply.
|
|
|
|
.. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
|
|
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
|
|
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
|
|
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
|
|
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
|
|
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
|
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_AAAA_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, a: :bro:type:`addr`)
|
|
|
|
Generated for DNS replies of type *AAAA*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:a: The address returned by the reply.
|
|
|
|
.. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
|
|
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
|
|
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
|
|
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
|
|
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
|
|
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
|
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_A_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, a: :bro:type:`addr`)
|
|
|
|
Generated for DNS replies of type *A*. For replies with multiple answers, an
|
|
individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:a: The address returned by the reply.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
|
|
dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
|
|
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
|
|
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
|
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_CAA_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, flags: :bro:type:`count`, tag: :bro:type:`string`, value: :bro:type:`string`)
|
|
|
|
Generated for DNS replies of type *CAA* (Certification Authority Authorization).
|
|
For replies with multiple answers, an individual event of the corresponding type
|
|
is raised for each.
|
|
See `RFC 6844 <https://tools.ietf.org/html/rfc6844>`__ for more details.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:flags: The flags byte of the CAA reply.
|
|
|
|
|
|
:tag: The property identifier of the CAA reply.
|
|
|
|
|
|
:value: The property value of the CAA reply.
|
|
|
|
.. bro:id:: dns_CNAME_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`)
|
|
|
|
Generated for DNS replies of type *CNAME*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:name: The name returned by the reply.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
|
|
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
|
|
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
|
|
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
|
|
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
|
|
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
|
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_DNSKEY
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, dnskey: :bro:type:`dns_dnskey_rr`)
|
|
|
|
Generated for DNS replies of type *DNSKEY*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:dnskey: The parsed DNSKEY record.
|
|
|
|
.. bro:id:: dns_DS
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, ds: :bro:type:`dns_ds_rr`)
|
|
|
|
Generated for DNS replies of type *DS*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:ds: The parsed RDATA of DS record.
|
|
|
|
.. bro:id:: dns_EDNS_addl
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_edns_additional`)
|
|
|
|
Generated for DNS replies of type *EDNS*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The parsed EDNS reply.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
|
|
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
|
|
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
|
|
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
|
|
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
|
|
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
|
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_HINFO_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`)
|
|
|
|
Generated for DNS replies of type *HINFO*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
|
|
dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
|
|
dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
|
|
dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
|
|
dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
|
|
non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
|
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_MX_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`, preference: :bro:type:`count`)
|
|
|
|
Generated for DNS replies of type *MX*. For replies with multiple answers, an
|
|
individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:name: The name returned by the reply.
|
|
|
|
|
|
:preference: The preference for *name* specified by the reply.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
|
|
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
|
|
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
|
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_NSEC
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, next_name: :bro:type:`string`, bitmaps: :bro:type:`string_vec`)
|
|
|
|
Generated for DNS replies of type *NSEC*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:next_name: The parsed next secure domain name.
|
|
|
|
|
|
:bitmaps: vector of strings in hex for the bit maps present.
|
|
|
|
.. bro:id:: dns_NSEC3
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, nsec3: :bro:type:`dns_nsec3_rr`)
|
|
|
|
Generated for DNS replies of type *NSEC3*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:nsec3: The parsed RDATA of Nsec3 record.
|
|
|
|
.. bro:id:: dns_NS_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`)
|
|
|
|
Generated for DNS replies of type *NS*. For replies with multiple answers, an
|
|
individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:name: The name returned by the reply.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
|
|
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
|
|
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
|
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_PTR_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, name: :bro:type:`string`)
|
|
|
|
Generated for DNS replies of type *PTR*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:name: The name returned by the reply.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply
|
|
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
|
|
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
|
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_RRSIG
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, rrsig: :bro:type:`dns_rrsig_rr`)
|
|
|
|
Generated for DNS replies of type *RRSIG*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:rrsig: The parsed RRSIG record.
|
|
|
|
.. bro:id:: dns_SOA_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, soa: :bro:type:`dns_soa`)
|
|
|
|
Generated for DNS replies of type *CNAME*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:soa: The parsed SOA value.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
|
|
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
|
|
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
|
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_SRV_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, target: :bro:type:`string`, priority: :bro:type:`count`, weight: :bro:type:`count`, p: :bro:type:`count`)
|
|
|
|
Generated for DNS replies of type *SRV*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:target: Target of the SRV response -- the canonical hostname of the
|
|
machine providing the service, ending in a dot.
|
|
|
|
|
|
:priority: Priority of the SRV response -- the priority of the target
|
|
host, lower value means more preferred.
|
|
|
|
|
|
:weight: Weight of the SRV response -- a relative weight for records
|
|
with the same priority, higher value means more preferred.
|
|
|
|
|
|
:p: Port of the SRV response -- the TCP or UDP port on which the
|
|
service is to be found.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
|
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
|
|
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
|
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_TSIG_addl
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_tsig_additional`)
|
|
|
|
Generated for DNS replies of type *TSIG*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The parsed TSIG reply.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
|
dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request
|
|
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
|
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_TXT_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`, strs: :bro:type:`string_vec`)
|
|
|
|
Generated for DNS replies of type *TXT*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
|
|
:strs: The textual information returned by the reply.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
|
dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request
|
|
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
|
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_WKS_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`)
|
|
|
|
Generated for DNS replies of type *WKS*. For replies with multiple answers,
|
|
an individual event of the corresponding type is raised for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
|
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request
|
|
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
|
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_end
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`)
|
|
|
|
Generated at the end of processing a DNS packet. This event is the last
|
|
``dns_*`` event that will be raised for a DNS query/reply and signals that
|
|
all resource records have been passed on.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
|
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request
|
|
dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
|
|
dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_full_request
|
|
|
|
:Type: :bro:type:`event` ()
|
|
|
|
Deprecated. Will be removed.
|
|
|
|
.. todo:: Unclear what this event is for; it's never raised. We should just
|
|
remove it.
|
|
|
|
.. bro:id:: dns_message
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, msg: :bro:type:`dns_msg`, len: :bro:type:`count`)
|
|
|
|
Generated for all DNS messages.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:is_orig: True if the message was sent by the originator of the connection.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:len: The length of the message's raw representation (i.e., the DNS payload).
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
|
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
|
|
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected
|
|
dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
|
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_query_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, query: :bro:type:`string`, qtype: :bro:type:`count`, qclass: :bro:type:`count`)
|
|
|
|
Generated for each entry in the Question section of a DNS reply.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:query: The queried name.
|
|
|
|
|
|
:qtype: The queried resource record type.
|
|
|
|
|
|
:qclass: The queried resource record class.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
|
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
|
|
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
|
|
dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
|
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_rejected
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, query: :bro:type:`string`, qtype: :bro:type:`count`, qclass: :bro:type:`count`)
|
|
|
|
Generated for DNS replies that reject a query. This event is raised if a DNS
|
|
reply indicates failure because it does not pass on any
|
|
answers to a query. Note that all of the event's parameters are parsed out of
|
|
the reply; there's no stateful correlation with the query.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:query: The queried name.
|
|
|
|
|
|
:qtype: The queried resource record type.
|
|
|
|
|
|
:qclass: The queried resource record class.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
|
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
|
|
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
|
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_request
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, query: :bro:type:`string`, qtype: :bro:type:`count`, qclass: :bro:type:`count`)
|
|
|
|
Generated for DNS requests. For requests with multiple queries, this event
|
|
is raised once for each.
|
|
|
|
See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
|
information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
|
sessions.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:query: The queried name.
|
|
|
|
|
|
:qtype: The queried resource record type.
|
|
|
|
|
|
:qclass: The queried resource record class.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
|
dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
|
|
dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
|
dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
|
dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
|
|
|
.. bro:id:: dns_unknown_reply
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`dns_msg`, ans: :bro:type:`dns_answer`)
|
|
|
|
Generated on DNS reply resource records when the type of record is not one
|
|
that Bro knows how to parse and generate another more specific event.
|
|
|
|
|
|
:c: The connection, which may be UDP or TCP depending on the type of the
|
|
transport-layer session being analyzed.
|
|
|
|
|
|
:msg: The parsed DNS message header.
|
|
|
|
|
|
:ans: The type-independent part of the parsed answer record.
|
|
|
|
.. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
|
dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_SRV_reply dns_end
|
|
|
|
.. bro:id:: non_dns_request
|
|
|
|
:Type: :bro:type:`event` (c: :bro:type:`connection`, msg: :bro:type:`string`)
|
|
|
|
|
|
:msg: The raw DNS payload.
|
|
|
|
.. note:: This event is deprecated and superseded by Bro's dynamic protocol
|
|
detection framework.
|
|
|
|
|