Protocol Analyzers
- Analyzer::Tag
- Type
-
- Analyzer::ANALYZER_BITTORRENT
- Analyzer::ANALYZER_BITTORRENTTRACKER
- Analyzer::ANALYZER_CONNSIZE
- Analyzer::ANALYZER_DCE_RPC
- Analyzer::ANALYZER_DHCP
- Analyzer::ANALYZER_DNP3_TCP
- Analyzer::ANALYZER_DNP3_UDP
- Analyzer::ANALYZER_CONTENTS_DNS
- Analyzer::ANALYZER_DNS
- Analyzer::ANALYZER_FTP_DATA
- Analyzer::ANALYZER_FTP
- Analyzer::ANALYZER_FTP_ADAT
- Analyzer::ANALYZER_GNUTELLA
- Analyzer::ANALYZER_GSSAPI
- Analyzer::ANALYZER_HTTP
- Analyzer::ANALYZER_ICMP
- Analyzer::ANALYZER_IDENT
- Analyzer::ANALYZER_IMAP
- Analyzer::ANALYZER_IRC
- Analyzer::ANALYZER_IRC_DATA
- Analyzer::ANALYZER_KRB
- Analyzer::ANALYZER_KRB_TCP
- Analyzer::ANALYZER_CONTENTS_RLOGIN
- Analyzer::ANALYZER_CONTENTS_RSH
- Analyzer::ANALYZER_LOGIN
- Analyzer::ANALYZER_NVT
- Analyzer::ANALYZER_RLOGIN
- Analyzer::ANALYZER_RSH
- Analyzer::ANALYZER_TELNET
- Analyzer::ANALYZER_MODBUS
- Analyzer::ANALYZER_MQTT
- Analyzer::ANALYZER_MYSQL
- Analyzer::ANALYZER_CONTENTS_NCP
- Analyzer::ANALYZER_NCP
- Analyzer::ANALYZER_CONTENTS_NETBIOSSSN
- Analyzer::ANALYZER_NETBIOSSSN
- Analyzer::ANALYZER_NTLM
- Analyzer::ANALYZER_NTP
- Analyzer::ANALYZER_PIA_TCP
- Analyzer::ANALYZER_PIA_UDP
- Analyzer::ANALYZER_POP3
- Analyzer::ANALYZER_RADIUS
- Analyzer::ANALYZER_RDP
- Analyzer::ANALYZER_RDPEUDP
- Analyzer::ANALYZER_RFB
- Analyzer::ANALYZER_CONTENTS_NFS
- Analyzer::ANALYZER_CONTENTS_RPC
- Analyzer::ANALYZER_MOUNT
- Analyzer::ANALYZER_NFS
- Analyzer::ANALYZER_PORTMAPPER
- Analyzer::ANALYZER_SIP
- Analyzer::ANALYZER_CONTENTS_SMB
- Analyzer::ANALYZER_SMB
- Analyzer::ANALYZER_SMTP
- Analyzer::ANALYZER_SMTP_BDAT
- Analyzer::ANALYZER_SNMP
- Analyzer::ANALYZER_SOCKS
- Analyzer::ANALYZER_FINGER
- Analyzer::ANALYZER_LDAP_TCP
- Analyzer::ANALYZER_LDAP_UDP
- Analyzer::ANALYZER_QUIC
- Analyzer::ANALYZER_SYSLOG
- Analyzer::ANALYZER_SPICY_WEBSOCKET
- Analyzer::ANALYZER_SSH
- Analyzer::ANALYZER_DTLS
- Analyzer::ANALYZER_SSL
- Analyzer::ANALYZER_CONTENTLINE
- Analyzer::ANALYZER_CONTENTS
- Analyzer::ANALYZER_TCPSTATS
- Analyzer::ANALYZER_TCP
- Analyzer::ANALYZER_UDP
- Analyzer::ANALYZER_WEBSOCKET
- Analyzer::ANALYZER_XMPP
- Analyzer::ANALYZER_ZIP
- AllAnalyzers::Tag
- Type
-
- AllAnalyzers::PACKETANALYZER_ANALYZER_ARP
- AllAnalyzers::PACKETANALYZER_ANALYZER_AYIYA
- AllAnalyzers::ANALYZER_ANALYZER_BITTORRENT
- AllAnalyzers::ANALYZER_ANALYZER_BITTORRENTTRACKER
- AllAnalyzers::ANALYZER_ANALYZER_CONNSIZE
- AllAnalyzers::ANALYZER_ANALYZER_DCE_RPC
- AllAnalyzers::ANALYZER_ANALYZER_DHCP
- AllAnalyzers::ANALYZER_ANALYZER_DNP3_TCP
- AllAnalyzers::ANALYZER_ANALYZER_DNP3_UDP
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_DNS
- AllAnalyzers::ANALYZER_ANALYZER_DNS
- AllAnalyzers::PACKETANALYZER_ANALYZER_ETHERNET
- AllAnalyzers::PACKETANALYZER_ANALYZER_FDDI
- AllAnalyzers::ANALYZER_ANALYZER_FTP_DATA
- AllAnalyzers::FILES_ANALYZER_DATA_EVENT
- AllAnalyzers::FILES_ANALYZER_ENTROPY
- AllAnalyzers::FILES_ANALYZER_EXTRACT
- AllAnalyzers::FILES_ANALYZER_MD5
- AllAnalyzers::FILES_ANALYZER_SHA1
- AllAnalyzers::FILES_ANALYZER_SHA256
- AllAnalyzers::ANALYZER_ANALYZER_FTP
- AllAnalyzers::ANALYZER_ANALYZER_FTP_ADAT
- AllAnalyzers::PACKETANALYZER_ANALYZER_GENEVE
- AllAnalyzers::ANALYZER_ANALYZER_GNUTELLA
- AllAnalyzers::PACKETANALYZER_ANALYZER_GRE
- AllAnalyzers::ANALYZER_ANALYZER_GSSAPI
- AllAnalyzers::PACKETANALYZER_ANALYZER_GTPV1
- AllAnalyzers::ANALYZER_ANALYZER_HTTP
- AllAnalyzers::PACKETANALYZER_ANALYZER_ICMP
- AllAnalyzers::ANALYZER_ANALYZER_ICMP
- AllAnalyzers::ANALYZER_ANALYZER_IDENT
- AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11
- AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11_RADIO
- AllAnalyzers::ANALYZER_ANALYZER_IMAP
- AllAnalyzers::PACKETANALYZER_ANALYZER_IP
- AllAnalyzers::PACKETANALYZER_ANALYZER_IPTUNNEL
- AllAnalyzers::ANALYZER_ANALYZER_IRC
- AllAnalyzers::ANALYZER_ANALYZER_IRC_DATA
- AllAnalyzers::ANALYZER_ANALYZER_KRB
- AllAnalyzers::ANALYZER_ANALYZER_KRB_TCP
- AllAnalyzers::PACKETANALYZER_ANALYZER_LINUXSLL
- AllAnalyzers::PACKETANALYZER_ANALYZER_LINUXSLL2
- AllAnalyzers::PACKETANALYZER_ANALYZER_LLC
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RLOGIN
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RSH
- AllAnalyzers::ANALYZER_ANALYZER_LOGIN
- AllAnalyzers::ANALYZER_ANALYZER_NVT
- AllAnalyzers::ANALYZER_ANALYZER_RLOGIN
- AllAnalyzers::ANALYZER_ANALYZER_RSH
- AllAnalyzers::ANALYZER_ANALYZER_TELNET
- AllAnalyzers::ANALYZER_ANALYZER_MODBUS
- AllAnalyzers::PACKETANALYZER_ANALYZER_MPLS
- AllAnalyzers::ANALYZER_ANALYZER_MQTT
- AllAnalyzers::ANALYZER_ANALYZER_MYSQL
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NCP
- AllAnalyzers::ANALYZER_ANALYZER_NCP
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NETBIOSSSN
- AllAnalyzers::ANALYZER_ANALYZER_NETBIOSSSN
- AllAnalyzers::PACKETANALYZER_ANALYZER_NFLOG
- AllAnalyzers::PACKETANALYZER_ANALYZER_NOVELL_802_3
- AllAnalyzers::ANALYZER_ANALYZER_NTLM
- AllAnalyzers::ANALYZER_ANALYZER_NTP
- AllAnalyzers::PACKETANALYZER_ANALYZER_NULL
- AllAnalyzers::PACKETANALYZER_ANALYZER_PBB
- AllAnalyzers::FILES_ANALYZER_PE
- AllAnalyzers::ANALYZER_ANALYZER_PIA_TCP
- AllAnalyzers::ANALYZER_ANALYZER_PIA_UDP
- AllAnalyzers::ANALYZER_ANALYZER_POP3
- AllAnalyzers::PACKETANALYZER_ANALYZER_PPP
- AllAnalyzers::PACKETANALYZER_ANALYZER_PPPOE
- AllAnalyzers::PACKETANALYZER_ANALYZER_PPPSERIAL
- AllAnalyzers::ANALYZER_ANALYZER_RADIUS
- AllAnalyzers::ANALYZER_ANALYZER_RDP
- AllAnalyzers::ANALYZER_ANALYZER_RDPEUDP
- AllAnalyzers::ANALYZER_ANALYZER_RFB
- AllAnalyzers::PACKETANALYZER_ANALYZER_ROOT
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NFS
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RPC
- AllAnalyzers::ANALYZER_ANALYZER_MOUNT
- AllAnalyzers::ANALYZER_ANALYZER_NFS
- AllAnalyzers::ANALYZER_ANALYZER_PORTMAPPER
- AllAnalyzers::ANALYZER_ANALYZER_SIP
- AllAnalyzers::PACKETANALYZER_ANALYZER_SKIP
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_SMB
- AllAnalyzers::ANALYZER_ANALYZER_SMB
- AllAnalyzers::ANALYZER_ANALYZER_SMTP
- AllAnalyzers::ANALYZER_ANALYZER_SMTP_BDAT
- AllAnalyzers::PACKETANALYZER_ANALYZER_SNAP
- AllAnalyzers::ANALYZER_ANALYZER_SNMP
- AllAnalyzers::ANALYZER_ANALYZER_SOCKS
- AllAnalyzers::ANALYZER_ANALYZER_FINGER
- AllAnalyzers::ANALYZER_ANALYZER_LDAP_TCP
- AllAnalyzers::ANALYZER_ANALYZER_LDAP_UDP
- AllAnalyzers::ANALYZER_ANALYZER_QUIC
- AllAnalyzers::ANALYZER_ANALYZER_SYSLOG
- AllAnalyzers::ANALYZER_ANALYZER_SPICY_WEBSOCKET
- AllAnalyzers::ANALYZER_ANALYZER_SSH
- AllAnalyzers::ANALYZER_ANALYZER_DTLS
- AllAnalyzers::ANALYZER_ANALYZER_SSL
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTLINE
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS
- AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS
- AllAnalyzers::PACKETANALYZER_ANALYZER_TCP
- AllAnalyzers::ANALYZER_ANALYZER_TCP
- AllAnalyzers::PACKETANALYZER_ANALYZER_TEREDO
- AllAnalyzers::PACKETANALYZER_ANALYZER_UDP
- AllAnalyzers::ANALYZER_ANALYZER_UDP
- AllAnalyzers::PACKETANALYZER_ANALYZER_VLAN
- AllAnalyzers::PACKETANALYZER_ANALYZER_VNTAG
- AllAnalyzers::PACKETANALYZER_ANALYZER_VXLAN
- AllAnalyzers::ANALYZER_ANALYZER_WEBSOCKET
- AllAnalyzers::FILES_ANALYZER_OCSP_REPLY
- AllAnalyzers::FILES_ANALYZER_OCSP_REQUEST
- AllAnalyzers::FILES_ANALYZER_X509
- AllAnalyzers::ANALYZER_ANALYZER_XMPP
- AllAnalyzers::ANALYZER_ANALYZER_ZIP
Zeek::BitTorrent
BitTorrent Analyzer
Components
Events
- bittorrent_peer_handshake
-
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_keep_alive
- Type
event
(c:connection
, is_orig:bool
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_choke
- Type
event
(c:connection
, is_orig:bool
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_unchoke
- Type
event
(c:connection
, is_orig:bool
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_interested
- Type
event
(c:connection
, is_orig:bool
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_not_interested
- Type
event
(c:connection
, is_orig:bool
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_have
- Type
event
(c:connection
, is_orig:bool
, piece_index:count
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_bitfield
- Type
event
(c:connection
, is_orig:bool
, bitfield:string
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_request
-
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_piece
-
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_cancel
-
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_port
- Type
event
(c:connection
, is_orig:bool
, listen_port:port
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_unknown
- Type
event
(c:connection
, is_orig:bool
, message_id:count
, data:string
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_weird
- bittorrent_peer_weird
- Type
event
(c:connection
, is_orig:bool
, msg:string
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
- bt_tracker_request
- Type
event
(c:connection
, uri:string
, headers:bt_tracker_headers
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bt_tracker_response
- Type
event
(c:connection
, status:count
, headers:bt_tracker_headers
, peers:bittorrent_peer_set
, benc:bittorrent_benc_dir
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bt_tracker_response_not_ok
- Type
event
(c:connection
, status:count
, headers:bt_tracker_headers
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bt_tracker_weird
- Type
event
(c:connection
, is_orig:bool
, msg:string
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
Zeek::ConnSize
Connection size analyzer
Components
Events
- conn_bytes_threshold_crossed
- Type
event
(c:connection
, threshold:count
, is_orig:bool
)
Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use
ConnThreshold::bytes_threshold_crossed
instead.- Parameters
c – the connection
threshold – the threshold that was set
is_orig – true if the threshold was crossed by the originator of the connection
See also:
set_current_conn_packets_threshold
,set_current_conn_bytes_threshold
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,conn_duration_threshold_crossed
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- conn_packets_threshold_crossed
- Type
event
(c:connection
, threshold:count
, is_orig:bool
)
Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use
ConnThreshold::packets_threshold_crossed
instead.- Parameters
c – the connection
threshold – the threshold that was set
is_orig – true if the threshold was crossed by the originator of the connection
See also:
set_current_conn_packets_threshold
,set_current_conn_bytes_threshold
,conn_bytes_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,conn_duration_threshold_crossed
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- conn_duration_threshold_crossed
- Type
event
(c:connection
, threshold:interval
, is_orig:bool
)
Generated for a connection that crossed a set duration threshold. Note that this is a low level event that should usually be avoided for user code. Use
ConnThreshold::duration_threshold_crossed
instead.Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.
- Parameters
c – the connection
threshold – the threshold that was set
is_orig – true if the threshold was crossed by the originator of the connection
See also:
set_current_conn_packets_threshold
,set_current_conn_bytes_threshold
,conn_bytes_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
Functions
- set_current_conn_bytes_threshold
-
Sets the current byte threshold for connection sizes, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (
ConnThreshold::set_bytes_threshold
).- Parameters
cid – The connection id.
threshold – Threshold in bytes.
is_orig – If true, threshold is set for bytes from originator, otherwise for bytes from responder.
See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- set_current_conn_packets_threshold
-
Sets a threshold for connection packets, overwriting any potential old thresholds. Be aware that in nearly any case you will want to use the high level API instead (
ConnThreshold::set_packets_threshold
).- Parameters
cid – The connection id.
threshold – Threshold in packets.
is_orig – If true, threshold is set for packets from originator, otherwise for packets from responder.
See also:
set_current_conn_bytes_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- set_current_conn_duration_threshold
-
Sets the current duration threshold for connection, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (
ConnThreshold::set_duration_threshold
).- Parameters
cid – The connection id.
threshold – Threshold in seconds.
See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,get_current_conn_duration_threshold
- get_current_conn_bytes_threshold
- Type
- Parameters
cid – The connection id.
is_orig – If true, threshold of originator, otherwise threshold of responder.
- Returns
0 if no threshold is set or the threshold in bytes
See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- get_current_conn_packets_threshold
-
Gets the current packet threshold size for a connection.
- Parameters
cid – The connection id.
is_orig – If true, threshold of originator, otherwise threshold of responder.
- Returns
0 if no threshold is set or the threshold in packets
See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- get_current_conn_duration_threshold
-
Gets the current duration threshold size for a connection.
- Parameters
cid – The connection id.
- Returns
0 if no threshold is set or the threshold in seconds
See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
Zeek::DCE_RPC
DCE-RPC analyzer
Components
Options/Constants
- DCE_RPC::max_cmd_reassembly
-
The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.
- DCE_RPC::max_frag_data
-
The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.
Types
- DCE_RPC::PType
- Type
-
- DCE_RPC::REQUEST
- DCE_RPC::PING
- DCE_RPC::RESPONSE
- DCE_RPC::FAULT
- DCE_RPC::WORKING
- DCE_RPC::NOCALL
- DCE_RPC::REJECT
- DCE_RPC::ACK
- DCE_RPC::CL_CANCEL
- DCE_RPC::FACK
- DCE_RPC::CANCEL_ACK
- DCE_RPC::BIND
- DCE_RPC::BIND_ACK
- DCE_RPC::BIND_NAK
- DCE_RPC::ALTER_CONTEXT
- DCE_RPC::ALTER_CONTEXT_RESP
- DCE_RPC::AUTH3
- DCE_RPC::SHUTDOWN
- DCE_RPC::CO_CANCEL
- DCE_RPC::ORPHANED
- DCE_RPC::RTS
Events
- dce_rpc_message
- Type
event
(c:connection
, is_orig:bool
, fid:count
, ptype_id:count
, ptype:DCE_RPC::PType
)
Generated for every DCE-RPC message.
- Parameters
c – The connection.
is_orig – True if the message was sent by the originator of the TCP connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ptype_id – Numeric representation of the procedure type of the message.
ptype – Enum representation of the procedure type of the message.
See also:
dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
- dce_rpc_bind
- Type
event
(c:connection
, fid:count
, ctx_id:count
, uuid:string
, ver_major:count
, ver_minor:count
)
Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
- Parameters
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
uuid – The string interpreted uuid of the endpoint being requested.
ver_major – The major version of the endpoint being requested.
ver_minor – The minor version of the endpoint being requested.
See also:
dce_rpc_message
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
- dce_rpc_alter_context
- Type
event
(c:connection
, fid:count
, ctx_id:count
, uuid:string
, ver_major:count
, ver_minor:count
)
Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
- Parameters
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
uuid – The string interpreted uuid of the endpoint being requested.
ver_major – The major version of the endpoint being requested.
ver_minor – The minor version of the endpoint being requested.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
,dce_rpc_alter_context_resp
- dce_rpc_bind_ack
- Type
event
(c:connection
, fid:count
, sec_addr:string
)
Generated for every DCE-RPC bind request ack message.
- Parameters
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
sec_addr – Secondary address for the ack.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_request
,dce_rpc_response
- dce_rpc_alter_context_resp
- Type
event
(c:connection
, fid:count
)
Generated for every DCE-RPC alter context response message.
- Parameters
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
,dce_rpc_alter_context
- dce_rpc_request
-
Generated for every DCE-RPC request message.
- Parameters
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub_len – Length of the data for the request.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_response
,dce_rpc_request_stub
- dce_rpc_response
-
Generated for every DCE-RPC response message.
- Parameters
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub_len – Length of the data for the response.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response_stub
- dce_rpc_request_stub
-
Generated for every DCE-RPC request message.
- Parameters
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub – The data for the request.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_response_stub
,dce_rpc_request
- dce_rpc_response_stub
-
Generated for every DCE-RPC response message.
- Parameters
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub – The data for the response.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request_stub
,dce_rpc_response
Zeek::DHCP
DHCP analyzer
Components
Types
- DHCP::Msg
- Type
-
- op:
count
Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
- m_type:
count
The type of DHCP message.
- xid:
count
Transaction ID of a DHCP session.
- secs:
interval
Number of seconds since client began address acquisition or renewal process
flags:
count
- ciaddr:
addr
Original IP address of the client.
- yiaddr:
addr
IP address assigned to the client.
- siaddr:
addr
IP address of the server.
- giaddr:
addr
IP address of the relaying gateway.
- chaddr:
string
Client hardware address.
- sname:
string
&default
=""
&optional
Server host name.
- file_n:
string
&default
=""
&optional
Boot file name.
- op:
A DHCP message. .. zeek:see:: dhcp_message
- DHCP::Addrs
-
A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.
See also:
dhcp_message
- DHCP::SubOpt
-
DHCP Relay Agent Information Option (Option 82) .. zeek:see:: dhcp_message
- DHCP::SubOpts
- Type
- DHCP::ClientFQDN
- Type
DHCP Client FQDN Option information (Option 81)
- DHCP::ClientID
-
DHCP Client Identifier (Option 61) .. zeek:see:: dhcp_message
- DHCP::Options
- Type
-
- options:
index_vec
&optional
The ordered list of all DHCP option numbers.
- subnet_mask:
addr
&optional
Subnet Mask Value (option 1)
- routers:
DHCP::Addrs
&optional
Router addresses (option 3)
- dns_servers:
DHCP::Addrs
&optional
DNS Server addresses (option 6)
- host_name:
string
&optional
The Hostname of the client (option 12)
- domain_name:
string
&optional
The DNS domain name of the client (option 15)
- forwarding:
bool
&optional
Enable/Disable IP Forwarding (option 19)
- broadcast:
addr
&optional
Broadcast Address (option 28)
- vendor:
string
&optional
Vendor specific data. This can frequently be unparsed binary data. (option 43)
- nbns:
DHCP::Addrs
&optional
NETBIOS name server list (option 44)
- addr_request:
addr
&optional
Address requested by the client (option 50)
- lease:
interval
&optional
Lease time offered by the server. (option 51)
- serv_addr:
addr
&optional
Server address to allow clients to distinguish between lease offers. (option 54)
- param_list:
index_vec
&optional
DHCP Parameter Request list (option 55)
- message:
string
&optional
Textual error message (option 56)
- max_msg_size:
count
&optional
Maximum Message Size (option 57)
- renewal_time:
interval
&optional
This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)
- rebinding_time:
interval
&optional
This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)
- vendor_class:
string
&optional
This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)
- client_id:
DHCP::ClientID
&optional
DHCP Client Identifier (Option 61)
- user_class:
string
&optional
User Class opaque value (Option 77)
- client_fqdn:
DHCP::ClientFQDN
&optional
DHCP Client FQDN (Option 81)
- sub_opt:
DHCP::SubOpts
&optional
DHCP Relay Agent Information Option (Option 82)
- auto_config:
bool
&optional
Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)
- auto_proxy_config:
string
&optional
URL to find a proxy.pac for auto proxy config (Option 252)
- time_offset:
int
&optional
The offset of the client’s subnet in seconds from UTC. (Option 2)
- time_servers:
DHCP::Addrs
&optional
A list of RFC 868 time servers available to the client. (Option 4)
- name_servers:
DHCP::Addrs
&optional
A list of IEN 116 name servers available to the client. (Option 5)
- ntp_servers:
DHCP::Addrs
&optional
A list of IP addresses indicating NTP servers available to the client. (Option 42)
- options:
Events
- dhcp_message
- Type
event
(c:connection
, is_orig:bool
, msg:DHCP::Msg
, options:DHCP::Options
)
Generated for all DHCP messages.
- Parameters
c – The connection record describing the underlying UDP flow.
is_orig – Indicate if the message came in a packet from the originator/client of the udp flow or the responder/server.
msg – The parsed type-independent part of the DHCP message. The message type is indicated in this record.
options – The full set of supported and parsed DHCP options.
Zeek::DNP3
DNP3 UDP/TCP analyzers
Components
Events
- dnp3_application_request_header
- Type
event
(c:connection
, is_orig:bool
, application:count
, fc:count
)
Generated for a DNP3 request header.
- Parameters
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
fc – function code.
- dnp3_application_response_header
-
Generated for a DNP3 response header.
- Parameters
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
fc – function code.
iin – internal indication number.
- dnp3_object_header
- Type
event
(c:connection
, is_orig:bool
, obj_type:count
, qua_field:count
, number:count
, rf_low:count
, rf_high:count
)
Generated for the object header found in both DNP3 requests and responses.
- Parameters
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
obj_type – type of object, which is classified based on an 8-bit group number and an 8-bit variation number.
qua_field – qualifier field.
number – TODO.
rf_low – the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values.
rf_high – in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index.
- dnp3_object_prefix
- Type
event
(c:connection
, is_orig:bool
, prefix_value:count
)
Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.
- Parameters
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
prefix_value – The prefix.
- dnp3_header_block
- Type
event
(c:connection
, is_orig:bool
, len:count
, ctrl:count
, dest_addr:count
, src_addr:count
)
Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).
- Parameters
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
len – the “length” field in the DNP3 Pseudo Link Layer.
ctrl – the “control” field in the DNP3 Pseudo Link Layer.
dest_addr – the “destination” field in the DNP3 Pseudo Link Layer.
src_addr – the “source” field in the DNP3 Pseudo Link Layer.
- dnp3_response_data_object
- Type
event
(c:connection
, is_orig:bool
, data_value:count
)
Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16_t, or int8_t; thus we use an additional data_value to record the values of those object data.
- Parameters
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
data_value – The value for those objects that carry their information here directly.
- dnp3_attribute_common
- Type
event
(c:connection
, is_orig:bool
, data_type_code:count
, leng:count
, attribute_obj:string
)
Generated for DNP3 attributes.
- dnp3_crob
- Type
event
(c:connection
, is_orig:bool
, control_code:count
, count8:count
, on_time:count
, off_time:count
, status_code:count
)
Generated for DNP3 objects with the group number 12 and variation number 1
- Parameters
CROB – control relay output block
- dnp3_pcb
- Type
event
(c:connection
, is_orig:bool
, control_code:count
, count8:count
, on_time:count
, off_time:count
, status_code:count
)
Generated for DNP3 objects with the group number 12 and variation number 2
- Parameters
PCB – Pattern Control Block
- dnp3_counter_32wFlag
- Type
event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)
Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag
- dnp3_counter_16wFlag
- Type
event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)
Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag
- dnp3_counter_32woFlag
- Type
event
(c:connection
, is_orig:bool
, count_value:count
)
Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag
- dnp3_counter_16woFlag
- Type
event
(c:connection
, is_orig:bool
, count_value:count
)
Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag
- dnp3_frozen_counter_32wFlag
- Type
event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)
Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag
- dnp3_frozen_counter_16wFlag
- Type
event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)
Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag
- dnp3_frozen_counter_32wFlagTime
-
Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time
- dnp3_frozen_counter_16wFlagTime
-
Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time
- dnp3_frozen_counter_32woFlag
- Type
event
(c:connection
, is_orig:bool
, count_value:count
)
Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag
- dnp3_frozen_counter_16woFlag
- Type
event
(c:connection
, is_orig:bool
, count_value:count
)
Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag
- dnp3_analog_input_32wFlag
- Type
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag
- dnp3_analog_input_16wFlag
- Type
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag
- dnp3_analog_input_32woFlag
- Type
event
(c:connection
, is_orig:bool
, value:count
)
Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag
- dnp3_analog_input_16woFlag
- Type
event
(c:connection
, is_orig:bool
, value:count
)
Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag
- dnp3_analog_input_SPwFlag
- Type
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag
- dnp3_analog_input_DPwFlag
-
Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag
- dnp3_frozen_analog_input_32wFlag
- Type
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag
- dnp3_frozen_analog_input_16wFlag
- Type
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag
- dnp3_frozen_analog_input_32wTime
-
Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze
- dnp3_frozen_analog_input_16wTime
-
Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze
- dnp3_frozen_analog_input_32woFlag
- Type
event
(c:connection
, is_orig:bool
, frozen_value:count
)
Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag
- dnp3_frozen_analog_input_16woFlag
- Type
event
(c:connection
, is_orig:bool
, frozen_value:count
)
Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag
- dnp3_frozen_analog_input_SPwFlag
- Type
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag
- dnp3_frozen_analog_input_DPwFlag
- Type
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value_low:count
, frozen_value_high:count
)
Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag
- dnp3_analog_input_event_32woTime
- Type
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time
- dnp3_analog_input_event_16woTime
- Type
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time
- dnp3_analog_input_event_32wTime
-
Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time
- dnp3_analog_input_event_16wTime
-
Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time
- dnp3_analog_input_event_SPwoTime
- Type
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time
- dnp3_analog_input_event_DPwoTime
-
Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time
- dnp3_analog_input_event_SPwTime
-
Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time
- dnp3_analog_input_event_DPwTime
- Type
event
(c:connection
, is_orig:bool
, flag:count
, value_low:count
, value_high:count
, time48:count
)
Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precision float point with time
- dnp3_frozen_analog_input_event_32woTime
- Type
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time
- dnp3_frozen_analog_input_event_16woTime
- Type
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time
- dnp3_frozen_analog_input_event_32wTime
-
Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time
- dnp3_frozen_analog_input_event_16wTime
-
Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time
- dnp3_frozen_analog_input_event_SPwoTime
- Type
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time
- dnp3_frozen_analog_input_event_DPwoTime
- Type
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value_low:count
, frozen_value_high:count
)
Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time
- dnp3_frozen_analog_input_event_SPwTime
-
Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time
- dnp3_frozen_analog_input_event_DPwTime
- Type
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value_low:count
, frozen_value_high:count
, time48:count
)
Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time
- dnp3_file_transport
-
g70
- dnp3_debug_byte
- Type
event
(c:connection
, is_orig:bool
, debug:string
)
Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.
Zeek::DNS
DNS analyzer
Components
Events
- dns_message
- Type
event
(c:connection
, is_orig:bool
, msg:dns_msg
, len:count
)
Generated for all DNS messages.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
is_orig – True if the message was sent by the originator of the connection.
msg – The parsed DNS message header.
len – The length of the message’s raw representation (i.e., the DNS payload).
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_request
- Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)- Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)
Generated for DNS requests. For requests with multiple queries, this event is raised once for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
query – The queried name (normalized to all lowercase).
qtype – The queried resource record type.
qclass – The queried resource record class.
original_query – The queried name, with the original case kept intact
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_rejected
- Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)- Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)
Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
query – The queried name (normalized to all lowercase).
qtype – The queried resource record type.
qclass – The queried resource record class.
original_query – The queried name, with the original case kept intact
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_query_reply
- Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)- Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)
Generated for each entry in the Question section of a DNS reply.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
query – The queried name.
qtype – The queried resource record type.
qclass – The queried resource record class.
original_query – The queried name, with the original case kept intact
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_A_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)
Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
a – The address returned by the reply.
See also:
dns_AAAA_reply
,dns_A6_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_AAAA_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)
Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
a – The address returned by the reply.
See also:
dns_A_reply
,dns_A6_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_A6_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)
Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
a – The address returned by the reply.
See also:
dns_A_reply
,dns_AAAA_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_NS_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)
Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_CNAME_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)
Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_PTR_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)
Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_SOA_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, soa:dns_soa
)
Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
soa – The parsed SOA value.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_WKS_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
)
Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_HINFO_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, cpu:string
, os:string
)
Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_MX_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
, preference:count
)
Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.
preference – The preference for name specified by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_TXT_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, strs:string_vec
)
Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
strs – The textual information returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_SPF_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, strs:string_vec
)
Generated for DNS replies of type SPF. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
strs – The textual information returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_CAA_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, flags:count
, tag:string
, value:string
)
Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
flags – The flags byte of the CAA reply.
tag – The property identifier of the CAA reply.
value – The property value of the CAA reply.
- dns_SRV_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, target:string
, priority:count
, weight:count
, p:count
)
Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
target – Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot.
priority – Priority of the SRV response – the priority of the target host, lower value means more preferred.
weight – Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred.
p – Port of the SRV response – the TCP or UDP port on which the service is to be found.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_unknown_reply
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
)
Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_SRV_reply
,dns_end
- dns_EDNS_addl
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_edns_additional
)
Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The parsed EDNS reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_EDNS_ecs
- Type
event
(c:connection
, msg:dns_msg
, opt:dns_edns_ecs
)
Generated for DNS replies of type EDNS. For replies with multiple options, an individual event is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
opt – The parsed EDNS option.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_EDNS_tcp_keepalive
- Type
event
(c:connection
, msg:dns_msg
, opt:dns_edns_tcp_keepalive
)
Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 11. For replies with multiple option fields, an individual event is raised for each.
See Wikipedia for more information about the DNS protocol. See RFC7828 for more information about EDNS0 TCP keepalive. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
opt – The parsed EDNS Keepalive option.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_EDNS_cookie
- Type
event
(c:connection
, msg:dns_msg
, opt:dns_edns_cookie
)
Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 10. For replies with multiple options fields, an individual event is raised for each.
See Wikipedia for more information about the DNS protocol. See RFC7873 for more information about EDNS0 cookie. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
opt – The parsed EDNS Cookie option.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_TSIG_addl
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_tsig_additional
)
Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The parsed TSIG reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_RRSIG
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, rrsig:dns_rrsig_rr
)
Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
rrsig – The parsed RRSIG record.
- dns_DNSKEY
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, dnskey:dns_dnskey_rr
)
Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
dnskey – The parsed DNSKEY record.
- dns_NSEC
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, next_name:string
, bitmaps:string_vec
)
Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
next_name – The parsed next secure domain name.
bitmaps – vector of strings in hex for the bit maps present.
- dns_NSEC3
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, nsec3:dns_nsec3_rr
)
Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
nsec3 – The parsed RDATA of Nsec3 record.
- dns_NSEC3PARAM
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, nsec3param:dns_nsec3param_rr
)
Generated for DNS replies of type NSEC3PARAM. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
nsec3param – The parsed RDATA of NSEC3PARAM record.
- dns_DS
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, ds:dns_ds_rr
)
Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
ds – The parsed RDATA of DS record.
- dns_BINDS
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, binds:dns_binds_rr
)
Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
binds – The parsed RDATA of BIND-Signing state record.
- dns_SSHFP
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, algo:count
, fptype:count
, fingerprint:string
)
Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
binds – The parsed RDATA of BIND-Signing state record.
- dns_LOC
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, loc:dns_loc_rr
)
Generated for DNS replies of type LOC. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
loc – The parsed RDATA of LOC type record.
- dns_SVCB
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, svcb:dns_svcb_rr
)
Generated for DNS replies of type SVCB (General Purpose Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
svcb – The parsed RDATA of SVCB type record.
- dns_HTTPS
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, https:dns_svcb_rr
)
Generated for DNS replies of type HTTPS (HTTPS Specific Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. Since SVCB and HTTPS records share the same wire format layout, the argument https is dns_svcb_rr. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
https – The parsed RDATA of HTTPS type record.
- dns_end
- Type
event
(c:connection
, msg:dns_msg
)
Generated at the end of processing a DNS packet. This event is the last
dns_*
event that will be raised for a DNS query/reply and signals that all resource records have been passed on.See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
Zeek::File
Generic file analyzer
Components
Events
- file_transferred
- Type
event
(c:connection
, prefix:string
, descr:string
, mime_type:string
)
Generated when a TCP connection associated w/ file data transfer is seen (e.g. as happens w/ FTP or IRC).
- Parameters
c – The connection over which file data is transferred.
prefix – Up to 1024 bytes of the file data.
descr – Deprecated/unused argument.
mime_type – MIME type of the file or “<unknown>” if no file magic signatures matched.
Zeek::Finger
Finger analyzer
Components
Types
- spicy::AddressFamily
- spicy::ByteOrder
- spicy::DecodeErrorStrategy
- spicy::Protocol
- spicy::RealType
Events
- finger_request
- Type
event
(c:connection
, full:bool
, username:string
, hostname:string
)
Generated for Finger requests.
See Wikipedia for more information about the Finger protocol.
- Parameters
c – The connection.
full – True if verbose information is requested (
/W
switch).username – The request’s user name.
hostname – The request’s host name.
See also:
finger_reply
- finger_reply
- Type
event
(c:connection
, reply_line:string
)
Generated for Finger replies.
See Wikipedia for more information about the Finger protocol.
- Parameters
c – The connection.
reply_line – The reply as returned by the server
See also:
finger_request
Zeek::FTP
FTP analyzer
Components
Types
- ftp_port
- Type
A parsed host/port combination describing server endpoint for an upcoming data transfer.
See also:
fmt_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,parse_ftp_pasv
,parse_ftp_port
Events
- ftp_request
- Type
event
(c:connection
, command:string
, arg:string
)
Generated for client-side FTP commands.
See Wikipedia for more information about the FTP protocol.
- Parameters
c – The connection.
command – The FTP command issued by the client (without any arguments).
arg – The arguments going with the command.
See also:
ftp_reply
,fmt_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,parse_ftp_pasv
,parse_ftp_port
- ftp_reply
- Type
event
(c:connection
, code:count
, msg:string
, cont_resp:bool
)
Generated for server-side FTP replies.
See Wikipedia for more information about the FTP protocol.
- Parameters
c – The connection.
code – The numerical response code the server responded with.
msg – The textual message of the response.
cont_resp – True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.
See also:
ftp_request
,fmt_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,parse_ftp_pasv
,parse_ftp_port
Functions
- parse_ftp_port
-
Converts a string representation of the FTP PORT command to an
ftp_port
.- Parameters
s – The string of the FTP PORT command, e.g.,
"10,0,0,1,4,31"
.- Returns
The FTP PORT, e.g.,
[h=10.0.0.1, p=1055/tcp, valid=T]
.
See also:
parse_eftp_port
,parse_ftp_pasv
,parse_ftp_epsv
,fmt_ftp_port
- parse_eftp_port
-
Converts a string representation of the FTP EPRT command (see RFC 2428) to an
ftp_port
. The format is"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"
, where<d>
is a delimiter in the ASCII range 33-126 (usually|
).- Parameters
s – The string of the FTP EPRT command, e.g.,
"|1|10.0.0.1|1055|"
.- Returns
The FTP PORT, e.g.,
[h=10.0.0.1, p=1055/tcp, valid=T]
.
See also:
parse_ftp_port
,parse_ftp_pasv
,parse_ftp_epsv
,fmt_ftp_port
- parse_ftp_pasv
-
Converts the result of the FTP PASV command to an
ftp_port
.- Parameters
str – The string containing the result of the FTP PASV command.
- Returns
The FTP PORT, e.g.,
[h=10.0.0.1, p=1055/tcp, valid=T]
.
See also:
parse_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,fmt_ftp_port
- parse_ftp_epsv
-
Converts the result of the FTP EPSV command (see RFC 2428) to an
ftp_port
. The format is"<text> (<d><d><d><tcp-port><d>)"
, where<d>
is a delimiter in the ASCII range 33-126 (usually|
).- Parameters
str – The string containing the result of the FTP EPSV command.
- Returns
The FTP PORT, e.g.,
[h=10.0.0.1, p=1055/tcp, valid=T]
.