base/bif/plugins/Zeek_SMTP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

smtp_data: event

Generated for DATA transmitted on SMTP sessions.

smtp_reply: event

Generated for server-side SMTP commands.

smtp_request: event

Generated for client-side SMTP commands.

smtp_starttls: event

Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS.

smtp_unexpected: event

Generated for unexpected activity on SMTP sessions.

Detailed Interface

Events

smtp_data
Type

event (c: connection, is_orig: bool, data: string)

Generated for DATA transmitted on SMTP sessions. This event is raised for subsequent chunks of raw data following the DATA SMTP command until the corresponding end marker . is seen. A handler may want to reassemble the pieces as they come in if stream-analysis is required.

See Wikipedia for more information about the SMTP protocol.

Parameters
  • c – The connection.

  • is_orig – True if the sender of the data is the originator of the TCP connection.

  • data – The raw data. Note that the size of each chunk is undefined and depends on specifics of the underlying TCP connection.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_one_header, mime_segment_data, smtp_reply, smtp_request, skip_smtp_data

Note

This event receives the unprocessed raw data. There is a separate set of mime_* events that strip out the outer MIME-layer of emails and provide structured access to their content.

smtp_reply
Type

event (c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool)

Generated for server-side SMTP commands.

See Wikipedia for more information about the SMTP protocol.

Parameters
  • c – The connection.

  • is_orig – True if the sender of the command is the originator of the TCP connection. Note that this is not redundant: the SMTP TURN command allows client and server to flip roles on established SMTP sessions, and hence a “reply” might still come from the TCP-level originator. In practice, however, that will rarely happen as TURN is considered insecure and rarely used.

  • code – The reply’s numerical code.

  • cmd – TODO.

  • msg – The reply’s textual description.

  • cont_resp – True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_one_header, mime_segment_data, smtp_data, smtp_request

Note

Zeek doesn’t support the newer ETRN extension yet.

smtp_request
Type

event (c: connection, is_orig: bool, command: string, arg: string)

Generated for client-side SMTP commands.

See Wikipedia for more information about the SMTP protocol.

Parameters
  • c – The connection.

  • is_orig – True if the sender of the command is the originator of the TCP connection. Note that this is not redundant: the SMTP TURN command allows client and server to flip roles on established SMTP sessions, and hence a “request” might still come from the TCP-level responder. In practice, however, that will rarely happen as TURN is considered insecure and rarely used.

  • command – The request’s command, without any arguments.

  • arg – The request command’s arguments.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_one_header, mime_segment_data, smtp_data, smtp_reply

Note

Zeek does not support the newer ETRN extension yet.

smtp_starttls
Type

event (c: connection)

Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS. After this event no more SMTP events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.

Parameters

c – The connection.

smtp_unexpected
Type

event (c: connection, is_orig: bool, msg: string, detail: string)

Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks the state of SMTP sessions and reports commands and other activity with this event that it sees even though it would not expect so at the current point of the communication.

See Wikipedia for more information about the SMTP protocol.

Parameters
  • c – The connection.

  • is_orig – True if the sender of the unexpected activity is the originator of the TCP connection.

  • msg – A descriptive message of what was unexpected.

  • detail – The actual SMTP line triggering the event.

See also: smtp_data, smtp_request, smtp_reply