base/bif/plugins/Zeek_POP3.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

pop3_data: event

Generated for server-side multi-line responses on POP3 connections.

pop3_login_failure: event

Generated for unsuccessful authentications on POP3 connections.

pop3_login_success: event

Generated for successful authentications on POP3 connections.

pop3_reply: event

Generated for server-side replies to commands on POP3 connections.

pop3_request: event

Generated for client-side commands on POP3 connections.

pop3_starttls: event

Generated when a POP3 connection goes encrypted.

pop3_unexpected: event

Generated for errors encountered on POP3 sessions.

Detailed Interface

Events

pop3_data
Type

event (c: connection, is_orig: bool, data: string)

Generated for server-side multi-line responses on POP3 connections. POP3 connections use multi-line responses to send bulk data, such as the actual mails. This event is generated once for each line that’s part of such a response.

See Wikipedia for more information about the POP3 protocol.

Parameters
  • c – The connection.

  • is_orig – True if the data was sent by the originator of the TCP connection.

  • data – The data sent.

See also: pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_unexpected

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_login_failure
Type

event (c: connection, is_orig: bool, user: string, password: string)

Generated for unsuccessful authentications on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

Parameters
  • c – The connection.

  • is_orig – Always false.

  • user – The user name attempted for authentication. The event is only generated if a non-empty user name was used.

  • password – The password attempted for authentication.

See also: pop3_data, pop3_login_success, pop3_reply, pop3_request, pop3_unexpected

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_login_success
Type

event (c: connection, is_orig: bool, user: string, password: string)

Generated for successful authentications on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

Parameters
  • c – The connection.

  • is_orig – Always false.

  • user – The user name used for authentication. The event is only generated if a non-empty user name was used.

  • password – The password used for authentication.

See also: pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_unexpected

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_reply
Type

event (c: connection, is_orig: bool, cmd: string, msg: string)

Generated for server-side replies to commands on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

Parameters
  • c – The connection.

  • is_orig – True if the command was sent by the originator of the TCP connection.

  • cmd – The success indicator sent by the server. This corresponds to the first token on the line sent, and should be either OK or ERR.

  • msg – The textual description the server sent along with cmd.

See also: pop3_data, pop3_login_failure, pop3_login_success, pop3_request, pop3_unexpected

Todo

This event is receiving odd parameters, should unify.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_request
Type

event (c: connection, is_orig: bool, command: string, arg: string)

Generated for client-side commands on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

Parameters
  • c – The connection.

  • is_orig – True if the command was sent by the originator of the TCP connection.

  • command – The command sent.

  • arg – The argument to the command.

See also: pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_unexpected

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_starttls
Type

event (c: connection)

Generated when a POP3 connection goes encrypted. While POP3 is by default a clear-text protocol, extensions exist to switch to encryption. This event is generated if that happens and the analyzer then stops processing the connection.

See Wikipedia for more information about the POP3 protocol.

Parameters

c – The connection.

See also: pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_unexpected

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_unexpected
Type

event (c: connection, is_orig: bool, msg: string, detail: string)

Generated for errors encountered on POP3 sessions. If the POP3 analyzer finds state transitions that do not conform to the protocol specification, or other situations it can’t handle, it raises this event.

See Wikipedia for more information about the POP3 protocol.

Parameters
  • c – The connection.

  • is_orig – True if the data was sent by the originator of the TCP connection.

  • msg – A textual description of the situation.

  • detail – The input that triggered the event.

See also: pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.