Protocol Analyzers¶

Analyzer::Tag¶

Type

enum

Analyzer::ANALYZER_AYIYA¶

Analyzer::ANALYZER_BITTORRENT¶

Analyzer::ANALYZER_BITTORRENTTRACKER¶

Analyzer::ANALYZER_CONNSIZE¶

Analyzer::ANALYZER_DCE_RPC¶

Analyzer::ANALYZER_DHCP¶

Analyzer::ANALYZER_DNP3_TCP¶

Analyzer::ANALYZER_DNP3_UDP¶

Analyzer::ANALYZER_CONTENTS_DNS¶

Analyzer::ANALYZER_DNS¶

Analyzer::ANALYZER_FTP_DATA¶

Analyzer::ANALYZER_IRC_DATA¶

Analyzer::ANALYZER_FINGER¶

Analyzer::ANALYZER_FTP¶

Analyzer::ANALYZER_FTP_ADAT¶

Analyzer::ANALYZER_GENEVE¶

Analyzer::ANALYZER_GNUTELLA¶

Analyzer::ANALYZER_GSSAPI¶

Analyzer::ANALYZER_GTPV1¶

Analyzer::ANALYZER_HTTP¶

Analyzer::ANALYZER_ICMP¶

Analyzer::ANALYZER_IDENT¶

Analyzer::ANALYZER_IMAP¶

Analyzer::ANALYZER_IRC¶

Analyzer::ANALYZER_KRB¶

Analyzer::ANALYZER_KRB_TCP¶

Analyzer::ANALYZER_CONTENTS_RLOGIN¶

Analyzer::ANALYZER_CONTENTS_RSH¶

Analyzer::ANALYZER_LOGIN¶

Analyzer::ANALYZER_NVT¶

Analyzer::ANALYZER_RLOGIN¶

Analyzer::ANALYZER_RSH¶

Analyzer::ANALYZER_TELNET¶

Analyzer::ANALYZER_MODBUS¶

Analyzer::ANALYZER_MQTT¶

Analyzer::ANALYZER_MYSQL¶

Analyzer::ANALYZER_CONTENTS_NCP¶

Analyzer::ANALYZER_NCP¶

Analyzer::ANALYZER_CONTENTS_NETBIOSSSN¶

Analyzer::ANALYZER_NETBIOSSSN¶

Analyzer::ANALYZER_NTLM¶

Analyzer::ANALYZER_NTP¶

Analyzer::ANALYZER_PIA_TCP¶

Analyzer::ANALYZER_PIA_UDP¶

Analyzer::ANALYZER_POP3¶

Analyzer::ANALYZER_RADIUS¶

Analyzer::ANALYZER_RDP¶

Analyzer::ANALYZER_RDPEUDP¶

Analyzer::ANALYZER_RFB¶

Analyzer::ANALYZER_CONTENTS_NFS¶

Analyzer::ANALYZER_CONTENTS_RPC¶

Analyzer::ANALYZER_MOUNT¶

Analyzer::ANALYZER_NFS¶

Analyzer::ANALYZER_PORTMAPPER¶

Analyzer::ANALYZER_SIP¶

Analyzer::ANALYZER_CONTENTS_SMB¶

Analyzer::ANALYZER_SMB¶

Analyzer::ANALYZER_SMTP¶

Analyzer::ANALYZER_SNMP¶

Analyzer::ANALYZER_SOCKS¶

Analyzer::ANALYZER_SSH¶

Analyzer::ANALYZER_DTLS¶

Analyzer::ANALYZER_SSL¶

Analyzer::ANALYZER_SYSLOG¶

Analyzer::ANALYZER_CONTENTLINE¶

Analyzer::ANALYZER_CONTENTS¶

Analyzer::ANALYZER_TCPSTATS¶

Analyzer::ANALYZER_TCP¶

Analyzer::ANALYZER_TEREDO¶

Analyzer::ANALYZER_UDP¶

Analyzer::ANALYZER_VXLAN¶

Analyzer::ANALYZER_XMPP¶

Analyzer::ANALYZER_ZIP¶

Zeek::AYIYA¶

AYIYA Analyzer

Components¶

Analyzer::ANALYZER_AYIYA

Zeek::BitTorrent¶

BitTorrent Analyzer

Components¶

Analyzer::ANALYZER_BITTORRENT

Analyzer::ANALYZER_BITTORRENTTRACKER

Events¶

bittorrent_peer_handshake¶

Type: event (c: connection, is_orig: bool, reserved: string, info_hash: string, peer_id: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_keep_alive¶

Type: event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_choke¶

Type: event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_unchoke¶

Type: event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_interested¶

Type: event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_not_interested¶

Type: event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_have¶

Type: event (c: connection, is_orig: bool, piece_index: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_bitfield¶

Type: event (c: connection, is_orig: bool, bitfield: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_request¶

Type: event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_piece¶

Type: event (c: connection, is_orig: bool, index: count, begin: count, piece_length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_cancel¶

Type: event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_port¶

Type: event (c: connection, is_orig: bool, listen_port: port)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_unknown¶

Type: event (c: connection, is_orig: bool, message_id: count, data: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_weird¶

Type: event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bt_tracker_request¶

Type: event (c: connection, uri: string, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bt_tracker_response¶

Type: event (c: connection, status: count, headers: bt_tracker_headers, peers: bittorrent_peer_set, benc: bittorrent_benc_dir)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bt_tracker_response_not_ok¶

Type: event (c: connection, status: count, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bt_tracker_weird¶

Type: event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

Zeek::ConnSize¶

Connection size analyzer

Components¶

Analyzer::ANALYZER_CONNSIZE

Events¶

conn_bytes_threshold_crossed ¶

Type: event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.

C: the connection
Threshold: the threshold that was set
Is_orig: true if the threshold was crossed by the originator of the connection

conn_packets_threshold_crossed ¶

Type: event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::packets_threshold_crossed instead.

C: the connection
Threshold: the threshold that was set
Is_orig: true if the threshold was crossed by the originator of the connection

conn_duration_threshold_crossed ¶

Type: event (c: connection, threshold: interval, is_orig: bool)

Generated for a connection that crossed a set duration threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::duration_threshold_crossed instead.

Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.

C: the connection
Threshold: the threshold that was set
Is_orig: true if the threshold was crossed by the originator of the connection

Functions¶

set_current_conn_bytes_threshold¶

Type: function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets the current byte threshold for connection sizes, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_bytes_threshold).

Cid: The connection id.
Threshold: Threshold in bytes.
Is_orig: If true, threshold is set for bytes from originator, otherwhise for bytes from responder.

set_current_conn_packets_threshold¶

Type: function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets a threshold for connection packets, overwtiting any potential old thresholds. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_packets_threshold).

Cid: The connection id.
Threshold: Threshold in packets.
Is_orig: If true, threshold is set for packets from originator, otherwhise for packets from responder.

set_current_conn_duration_threshold¶

Type: function (cid: conn_id, threshold: interval) : bool

Sets the current duration threshold for connection, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_duration_threshold).

Cid: The connection id.
Threshold: Threshold in seconds.

get_current_conn_bytes_threshold¶

Type: function (cid: conn_id, is_orig: bool) : count
Cid: The connection id.
Is_orig: If true, threshold of originator, otherwhise threshold of responder.
Returns: 0 if no threshold is set or the threshold in bytes

get_current_conn_packets_threshold¶

Type: function (cid: conn_id, is_orig: bool) : count

Gets the current packet threshold size for a connection.

Cid: The connection id.
Is_orig: If true, threshold of originator, otherwhise threshold of responder.
Returns: 0 if no threshold is set or the threshold in packets

get_current_conn_duration_threshold¶

Type: function (cid: conn_id) : interval

Gets the current duration threshold size for a connection.

Cid: The connection id.
Returns: 0 if no threshold is set or the threshold in seconds

Zeek::DCE_RPC¶

DCE-RPC analyzer

Components¶

Analyzer::ANALYZER_DCE_RPC

Options/Constants¶

DCE_RPC::max_cmd_reassembly ¶

Type: count
Attributes: &redef
Default: 20

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data ¶

Type: count
Attributes: &redef
Default: 30000

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

Types¶

DCE_RPC::PType¶

Type

enum

DCE_RPC::REQUEST¶

DCE_RPC::PING¶

DCE_RPC::RESPONSE¶

DCE_RPC::FAULT¶

DCE_RPC::WORKING¶

DCE_RPC::NOCALL¶

DCE_RPC::REJECT¶

DCE_RPC::ACK¶

DCE_RPC::CL_CANCEL¶

DCE_RPC::FACK¶

DCE_RPC::CANCEL_ACK¶

DCE_RPC::BIND¶

DCE_RPC::BIND_ACK¶

DCE_RPC::BIND_NAK¶

DCE_RPC::ALTER_CONTEXT¶

DCE_RPC::ALTER_CONTEXT_RESP¶

DCE_RPC::AUTH3¶

DCE_RPC::SHUTDOWN¶

DCE_RPC::CO_CANCEL¶

DCE_RPC::ORPHANED¶

DCE_RPC::RTS¶

DCE_RPC::IfID¶

Type

enum

DCE_RPC::unknown_if¶

DCE_RPC::epmapper¶

DCE_RPC::lsarpc¶

DCE_RPC::lsa_ds¶

DCE_RPC::mgmt¶

DCE_RPC::netlogon¶

DCE_RPC::samr¶

DCE_RPC::srvsvc¶

DCE_RPC::spoolss¶

DCE_RPC::drs¶

DCE_RPC::winspipe¶

DCE_RPC::wkssvc¶

DCE_RPC::oxid¶

DCE_RPC::ISCMActivator¶

Events¶

dce_rpc_message¶

Type: event (c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType)

Generated for every DCE-RPC message.

C: The connection.
Is_orig: True if the message was sent by the originator of the TCP connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ptype_id: Numeric representation of the procedure type of the message.
Ptype: Enum representation of the prodecure type of the message.

dce_rpc_bind ¶

Type: event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Uuid: The string interpretted uuid of the endpoint being requested.
Ver_major: The major version of the endpoint being requested.
Ver_minor: The minor version of the endpoint being requested.

dce_rpc_alter_context ¶

Type: event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Uuid: The string interpretted uuid of the endpoint being requested.
Ver_major: The major version of the endpoint being requested.
Ver_minor: The minor version of the endpoint being requested.

dce_rpc_bind_ack ¶

Type: event (c: connection, fid: count, sec_addr: string)

Generated for every DCE-RPC bind request ack message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Sec_addr: Secondary address for the ack.

dce_rpc_alter_context_resp ¶

Type: event (c: connection, fid: count)

Generated for every DCE-RPC alter context response message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

dce_rpc_request ¶

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC request message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Opnum: Number of the RPC operation.
Stub_len: Length of the data for the request.

dce_rpc_response¶

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC response message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Opnum: Number of the RPC operation.
Stub_len: Length of the data for the response.

dce_rpc_request_stub¶

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC request message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Opnum: Number of the RPC operation.
Stub: The data for the request.

dce_rpc_response_stub¶

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC response message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Opnum: Number of the RPC operation.
Stub: The data for the response.

Zeek::DHCP¶

DHCP analyzer

Components¶

Analyzer::ANALYZER_DHCP

Types¶

DHCP::Msg ¶

Type

record

op: count: Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
m_type: count: The type of DHCP message.
xid: count: Transaction ID of a DHCP session.
secs: interval: Number of seconds since client began address acquisition or renewal process

flags: count

ciaddr: addr: Original IP address of the client.
yiaddr: addr: IP address assigned to the client.
siaddr: addr: IP address of the server.
giaddr: addr: IP address of the relaying gateway.
chaddr: string: Client hardware address.
sname: string &default = "" &optional: Server host name.
file_n: string &default = "" &optional: Boot file name.

A DHCP message. .. zeek:see:: dhcp_message

DHCP::Addrs ¶

Type: vector of addr

A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.

Events¶

dhcp_message ¶

Type: event (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)

Generated for all DHCP messages.

C: The connection record describing the underlying UDP flow.
Is_orig: Indicate if the message came in a packet from the originator/client of the udp flow or the responder/server.
Msg: The parsed type-independent part of the DHCP message. The message type is indicated in this record.
Options: The full set of supported and parsed DHCP options.

Zeek::DNP3¶

DNP3 UDP/TCP analyzers

Components¶

Analyzer::ANALYZER_DNP3_TCP

Analyzer::ANALYZER_DNP3_UDP

Events¶

dnp3_application_request_header ¶

Type: event (c: connection, is_orig: bool, application: count, fc: count)

Generated for a DNP3 request header.

C: The connection the DNP3 communication is part of.
Is_orig: True if this reflects originator-side activity.
Fc: function code.

dnp3_application_response_header ¶

Type: event (c: connection, is_orig: bool, application: count, fc: count, iin: count)

Generated for a DNP3 response header.

C: The connection the DNP3 communication is part of.
Is_orig: True if this reflects originator-side activity.
Fc: function code.
Iin: internal indication number.

dnp3_object_header¶

Type: event (c: connection, is_orig: bool, obj_type: count, qua_field: count, number: count, rf_low: count, rf_high: count)

Generated for the object header found in both DNP3 requests and responses.

C: The connection the DNP3 communication is part of.
Is_orig: True if this reflects originator-side activity.
Obj_type: type of object, which is classified based on an 8-bit group number and an 8-bit variation number.
Qua_field: qualifier field.
Number: TODO.
Rf_low: the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values.
Rf_high: in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index.

dnp3_object_prefix¶

Type: event (c: connection, is_orig: bool, prefix_value: count)

Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.

C: The connection the DNP3 communication is part of.
Is_orig: True if this reflects originator-side activity.
Prefix_value: The prefix.

dnp3_header_block¶

Type: event (c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count)

Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).

C: The connection the DNP3 communication is part of.
Is_orig: True if this reflects originator-side activity.
Len: the “length” field in the DNP3 Pseudo Link Layer.
Ctrl: the “control” field in the DNP3 Pseudo Link Layer.
Dest_addr: the “destination” field in the DNP3 Pseudo Link Layer.
Src_addr: the “source” field in the DNP3 Pseudo Link Layer.

dnp3_response_data_object¶

Type: event (c: connection, is_orig: bool, data_value: count)

Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16_t, or int8_t; thus we use an additional data_value to record the values of those object data.

C: The connection the DNP3 communication is part of.
Is_orig: True if this reflects originator-side activity.
Data_value: The value for those objects that carry their information here directly.

dnp3_attribute_common¶

Type: event (c: connection, is_orig: bool, data_type_code: count, leng: count, attribute_obj: string)

Generated for DNP3 attributes.

dnp3_crob¶

Type: event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 1

CROB: control relay output block

dnp3_pcb¶

Type: event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 2

PCB: Pattern Control Block

dnp3_counter_32wFlag¶

Type: event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag

dnp3_counter_16wFlag¶

Type: event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag

dnp3_counter_32woFlag¶

Type: event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag

dnp3_counter_16woFlag¶

Type: event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag

dnp3_frozen_counter_32wFlag¶

Type: event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag

dnp3_frozen_counter_16wFlag¶

Type: event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag

dnp3_frozen_counter_32wFlagTime¶

Type: event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time

dnp3_frozen_counter_16wFlagTime¶

Type: event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time

dnp3_frozen_counter_32woFlag¶

Type: event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag

dnp3_frozen_counter_16woFlag¶

Type: event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag

dnp3_analog_input_32wFlag¶

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag

dnp3_analog_input_16wFlag¶

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag

dnp3_analog_input_32woFlag¶

Type: event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag

dnp3_analog_input_16woFlag¶

Type: event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag

dnp3_analog_input_SPwFlag¶

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag

dnp3_analog_input_DPwFlag¶

Type: event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag

dnp3_frozen_analog_input_32wFlag¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag

dnp3_frozen_analog_input_16wFlag¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag

dnp3_frozen_analog_input_32wTime¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze

dnp3_frozen_analog_input_16wTime¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze

dnp3_frozen_analog_input_32woFlag¶

Type: event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag

dnp3_frozen_analog_input_16woFlag¶

Type: event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag

dnp3_frozen_analog_input_SPwFlag¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag

dnp3_frozen_analog_input_DPwFlag¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag

dnp3_analog_input_event_32woTime¶

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time

dnp3_analog_input_event_16woTime¶

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time

dnp3_analog_input_event_32wTime¶

Type: event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time

dnp3_analog_input_event_16wTime¶

Type: event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time

dnp3_analog_input_event_SPwoTime¶

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time

dnp3_analog_input_event_DPwoTime¶

Type: event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time

dnp3_analog_input_event_SPwTime¶

Type: event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time

dnp3_analog_input_event_DPwTime¶

Type: event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precisiion float point with time

dnp3_frozen_analog_input_event_32woTime¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time

dnp3_frozen_analog_input_event_16woTime¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time

dnp3_frozen_analog_input_event_32wTime¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time

dnp3_frozen_analog_input_event_16wTime¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time

dnp3_frozen_analog_input_event_SPwoTime¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time

dnp3_frozen_analog_input_event_DPwoTime¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time

dnp3_frozen_analog_input_event_SPwTime¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time

dnp3_frozen_analog_input_event_DPwTime¶

Type: event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count)

Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time

dnp3_file_transport¶

Type: event (c: connection, is_orig: bool, file_handle: count, block_num: count, file_data: string)

g70

dnp3_debug_byte¶

Type: event (c: connection, is_orig: bool, debug: string)

Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.

Zeek::DNS¶

DNS analyzer

Components¶

Analyzer::ANALYZER_CONTENTS_DNS

Analyzer::ANALYZER_DNS

Events¶

dns_message ¶

Type: event (c: connection, is_orig: bool, msg: dns_msg, len: count)

Generated for all DNS messages.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Is_orig: True if the message was sent by the originator of the connection.
Msg: The parsed DNS message header.
Len: The length of the message’s raw representation (i.e., the DNS payload).

dns_request¶

Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)
Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS requests. For requests with multiple queries, this event is raised once for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Query: The queried name (normalized to all lowercase).
Qtype: The queried resource record type.
Qclass: The queried resource record class.
Original_query: The queried name, with the original case kept intact

dns_rejected ¶

Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)
Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Query: The queried name (normalized to all lowercase).
Qtype: The queried resource record type.
Qclass: The queried resource record class.
Original_query: The queried name, with the original case kept intact

dns_query_reply¶

Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)
Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for each entry in the Question section of a DNS reply.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Query: The queried name.
Qtype: The queried resource record type.
Qclass: The queried resource record class.
Original_query: The queried name, with the original case kept intact

dns_A_reply¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
A: The address returned by the reply.

dns_AAAA_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
A: The address returned by the reply.

dns_A6_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
A: The address returned by the reply.

dns_NS_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Name: The name returned by the reply.

dns_CNAME_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Name: The name returned by the reply.

dns_PTR_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Name: The name returned by the reply.

dns_SOA_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Soa: The parsed SOA value.

dns_WKS_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.

dns_HINFO_reply¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, cpu: string, os: string)
Type: event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.

dns_MX_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count)

Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Name: The name returned by the reply.
Preference: The preference for name specified by the reply.

dns_TXT_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Strs: The textual information returned by the reply.

dns_SPF_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type SPF. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Strs: The textual information returned by the reply.

dns_CAA_reply¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)

Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Flags: The flags byte of the CAA reply.
Tag: The property identifier of the CAA reply.
Value: The property value of the CAA reply.

dns_SRV_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count)

Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Target: Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot.
Priority: Priority of the SRV response – the priority of the target host, lower value means more preferred.
Weight: Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred.
P: Port of the SRV response – the TCP or UDP port on which the service is to be found.

dns_unknown_reply ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer)

Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.

dns_EDNS_addl¶

Type: event (c: connection, msg: dns_msg, ans: dns_edns_additional)

Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The parsed EDNS reply.

dns_EDNS_ecs¶

Type: event (c: connection, msg: dns_msg, opt: dns_edns_ecs)

Generated for DNS replies of type EDNS. For replies with multiple options, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Opt: The parsed EDNS option.

dns_EDNS_tcp_keepalive¶

Type: event (c: connection, msg: dns_msg, opt: dns_edns_tcp_keepalive)

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 11. For replies with multiple option fields, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. See RFC7828 for more information about EDNS0 TCP keepalive. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Opt: The parsed EDNS Keepalive option.

dns_EDNS_cookie¶

Type: event (c: connection, msg: dns_msg, opt: dns_edns_cookie)

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 10. For replies with multiple options fields, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. See RFC7873 for more information about EDNS0 cookie. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Opt: The parsed EDNS Cookie option.

dns_TSIG_addl¶

Type: event (c: connection, msg: dns_msg, ans: dns_tsig_additional)

Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The parsed TSIG reply.

dns_RRSIG ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)

Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Rrsig: The parsed RRSIG record.

dns_DNSKEY ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)

Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Dnskey: The parsed DNSKEY record.

dns_NSEC ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)

Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Next_name: The parsed next secure domain name.
Bitmaps: vector of strings in hex for the bit maps present.

dns_NSEC3 ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)

Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Nsec3: The parsed RDATA of Nsec3 record.

dns_NSEC3PARAM ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr)

Generated for DNS replies of type NSEC3PARAM. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Nsec3param: The parsed RDATA of NSEC3PARAM record.

dns_DS ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)

Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Ds: The parsed RDATA of DS record.

dns_BINDS ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr)

Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Binds: The parsed RDATA of BIND-Signeing state record.

dns_SSHFP ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string)

Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Binds: The parsed RDATA of BIND-Signeing state record.

dns_LOC ¶

Type: event (c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr)

Generated for DNS replies of type LOC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.
Ans: The type-independent part of the parsed answer record.
Loc: The parsed RDATA of LOC type record.

dns_end¶

Type: event (c: connection, msg: dns_msg)

Generated at the end of processing a DNS packet. This event is the last dns_* event that will be raised for a DNS query/reply and signals that all resource records have been passed on.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
Msg: The parsed DNS message header.

Zeek::File¶

Generic file analyzer

Components¶

Analyzer::ANALYZER_FTP_DATA

Analyzer::ANALYZER_IRC_DATA

Events¶

file_transferred ¶

Type: event (c: connection, prefix: string, descr: string, mime_type: string)

Generated when a TCP connection associated w/ file data transfer is seen (e.g. as happens w/ FTP or IRC).

C: The connection over which file data is transferred.
Prefix: Up to 1024 bytes of the file data.
Descr: Deprecated/unused argument.
Mime_type: MIME type of the file or “<unknown>” if no file magic signatures matched.

Zeek::Finger¶

Finger analyzer

Components¶

Analyzer::ANALYZER_FINGER

Events¶

finger_request¶

Type: event (c: connection, full: bool, username: string, hostname: string)

Generated for Finger requests.

See Wikipedia for more information about the Finger protocol.

C: The connection.
Full: True if verbose information is requested (/W switch).
Username: The request’s user name.
Hostname: The request’s host name.

Zeek::FTP¶

FTP analyzer

Components¶

Analyzer::ANALYZER_FTP

Analyzer::ANALYZER_FTP_ADAT

Types¶

ftp_port ¶

Type

record

h: addr: The host’s address.
p: port: The host’s port.
valid: bool: True if format was right. Only then are h and p valid.

A parsed host/port combination describing server endpoint for an upcoming data transfer.

Events¶

ftp_request¶

Type: event (c: connection, command: string, arg: string)

Generated for client-side FTP commands.

See Wikipedia for more information about the FTP protocol.

C: The connection.
Command: The FTP command issued by the client (without any arguments).
Arg: The arguments going with the command.

ftp_reply¶

Type: event (c: connection, code: count, msg: string, cont_resp: bool)

Generated for server-side FTP replies.

See Wikipedia for more information about the FTP protocol.

C: The connection.
Code: The numerical response code the server responded with.
Msg: The textual message of the response.
Cont_resp: True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.

Functions¶

parse_ftp_port¶

Type: function (s: string) : ftp_port

Converts a string representation of the FTP PORT command to an ftp_port.

S: The string of the FTP PORT command, e.g., "10,0,0,1,4,31".
Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

parse_eftp_port¶

Type: function (s: string) : ftp_port

Converts a string representation of the FTP EPRT command (see RFC 2428) to an ftp_port. The format is "EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>", where <d> is a delimiter in the ASCII range 33-126 (usually |).

S: The string of the FTP EPRT command, e.g., "|1|10.0.0.1|1055|".
Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

parse_ftp_pasv¶

Type: function (str: string) : ftp_port

Converts the result of the FTP PASV command to an ftp_port.

Str: The string containing the result of the FTP PASV command.
Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

parse_ftp_epsv¶

Type: function (str: string) : ftp_port

Converts the result of the FTP EPSV command (see RFC 2428) to an ftp_port. The format is "<text> (<d><d><d><tcp-port><d>)", where <d> is a delimiter in the ASCII range 33-126 (usually |).

Str: The string containing the result of the FTP EPSV command.
Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

fmt_ftp_port¶

Type: function (a: addr, p: port) : string

Formats an IP address and TCP port as an FTP PORT command. For example, 10.0.0.1 and 1055/tcp yields "10,0,0,1,4,31".

A: The IP address.
P: The TCP port.
Returns: The FTP PORT string.

Zeek::Geneve¶

Geneve analyzer

Components¶

Analyzer::ANALYZER_GENEVE

Events¶

geneve_packet¶

Type: event (outer: connection, inner: pkt_hdr, vni: count)

Generated for any packet encapsulated in a Geneve tunnel. See RFC 8926 for more information about the VXLAN protocol.

Outer: The Geneve tunnel connection.
Inner: The Geneve-encapsulated Ethernet packet header and transport header.
Vni: Geneve Network Identifier.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

Zeek::Gnutella¶

Gnutella analyzer

Components¶

Analyzer::ANALYZER_GNUTELLA

Events¶

gnutella_text_msg¶

Type: event (c: connection, orig: bool, headers: string)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_binary_msg¶

Type: event (c: connection, orig: bool, msg_type: count, ttl: count, hops: count, msg_len: count, payload: string, payload_len: count, trunc: bool, complete: bool)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_partial_binary_msg¶

Type: event (c: connection, orig: bool, msg: string, len: count)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_establish¶

Type: event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_not_establish¶

Type: event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_http_notify¶

Type: event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::GSSAPI¶

GSSAPI analyzer

Components¶

Analyzer::ANALYZER_GSSAPI

Events¶

gssapi_neg_result¶

Type: event (c: connection, state: count)

Generated for GSSAPI negotiation results.

C: The connection.
State: The resulting state of the negotiation.

Zeek::GTPv1¶

GTPv1 analyzer

Components¶

Analyzer::ANALYZER_GTPV1

Events¶

gtpv1_message¶

Type: event (c: connection, hdr: gtpv1_hdr)

Generated for any GTP message with a GTPv1 header.

C: The connection over which the message is sent.
Hdr: The GTPv1 header.

gtpv1_g_pdu_packet¶

Type: event (outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr)

Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.

Outer: The GTP outer tunnel connection.
Inner_gtp: The GTP header.
Inner_ip: The inner IP and transport layer packet headers.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

gtpv1_create_pdp_ctx_request¶

Type: event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements)

Generated for GTPv1-C Create PDP Context Request messages.

C: The connection over which the message is sent.
Hdr: The GTPv1 header.
Elements: The set of Information Elements comprising the message.

gtpv1_create_pdp_ctx_response¶

Type: event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements)

Generated for GTPv1-C Create PDP Context Response messages.

C: The connection over which the message is sent.
Hdr: The GTPv1 header.
Elements: The set of Information Elements comprising the message.

gtpv1_update_pdp_ctx_request¶

Type: event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements)

Generated for GTPv1-C Update PDP Context Request messages.

C: The connection over which the message is sent.
Hdr: The GTPv1 header.
Elements: The set of Information Elements comprising the message.

gtpv1_update_pdp_ctx_response¶

Type: event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements)

Generated for GTPv1-C Update PDP Context Response messages.

C: The connection over which the message is sent.
Hdr: The GTPv1 header.
Elements: The set of Information Elements comprising the message.

gtpv1_delete_pdp_ctx_request¶

Type: event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements)

Generated for GTPv1-C Delete PDP Context Request messages.

C: The connection over which the message is sent.
Hdr: The GTPv1 header.
Elements: The set of Information Elements comprising the message.

gtpv1_delete_pdp_ctx_response¶

Type: event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements)

Generated for GTPv1-C Delete PDP Context Response messages.

C: The connection over which the message is sent.
Hdr: The GTPv1 header.
Elements: The set of Information Elements comprising the message.

Zeek::HTTP¶

HTTP analyzer

Components¶

Analyzer::ANALYZER_HTTP

Events¶

http_request¶

Type: event (c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)

Generated for HTTP requests. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a request’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

C: The connection.
Method: The HTTP method extracted from the request (e.g., GET, POST).
Original_URI: The unprocessed URI as specified in the request.
Unescaped_URI: The URI with all percent-encodings decoded.
Version: The version number specified in the request (e.g., 1.1).

http_reply ¶

Type: event (c: connection, version: string, code: count, reason: string)

Generated for HTTP replies. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a reply’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

C: The connection.
Version: The version number specified in the reply (e.g., 1.1).
Code: The numerical response code returned by the server.
Reason: The textual description returned by the server along with code.

http_header¶

Type: event (c: connection, is_orig: bool, original_name: string, name: string, value: string)
Type: event (c: connection, is_orig: bool, name: string, value: string)

Generated for HTTP headers. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.

See Wikipedia for more information about the HTTP protocol.

C: The connection.
Is_orig: True if the header was sent by the originator of the TCP connection.
Original_name: The name of the header (unaltered).
Name: The name of the header (converted to all uppercase).
Value: The value of the header.

Note

This event is also raised for headers found in nested body entities.

http_all_headers¶

Type: event (c: connection, is_orig: bool, hlist: mime_header_list)

Generated for HTTP headers, passing on all headers of an HTTP message at once. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.

See Wikipedia for more information about the HTTP protocol.

C: The connection.
Is_orig: True if the header was sent by the originator of the TCP connection.
Hlist: A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).

Note

This event is also raised for headers found in nested body entities.

http_begin_entity ¶

Type: event (c: connection, is_orig: bool)

Generated when starting to parse an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event just before it starts parsing each entity’s content.

See Wikipedia for more information about the HTTP protocol.

C: The connection.
Is_orig: True if the entity was sent by the originator of the TCP connection.

http_end_entity ¶

Type: event (c: connection, is_orig: bool)

Generated when finishing parsing an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event at the point when it has finished parsing an entity’s content.

See Wikipedia for more information about the HTTP protocol.

C: The connection.
Is_orig: True if the entity was sent by the originator of the TCP connection.

http_entity_data¶

Type: event (c: connection, is_orig: bool, length: count, data: string)

Generated when parsing an HTTP body entity, passing on the data. This event can potentially be raised many times for each entity, each time passing a chunk of the data of not further defined size.

A common idiom for using this event is to first reassemble the data at the scripting layer by concatenating it to a successively growing string; and only perform further content analysis once the corresponding http_end_entity event has been raised. Note, however, that doing so can be quite expensive for HTTP tranders. At the very least, one should impose an upper size limit on how much data is being buffered.

See Wikipedia for more information about the HTTP protocol.

C: The connection.
Is_orig: True if the entity was sent by the originator of the TCP connection.
Length: The length of data.
Data: One chunk of raw entity data.

http_content_type¶

Type: event (c: connection, is_orig: bool, ty: string, subty: string)

Generated for reporting an HTTP body’s content type. This event is generated at the end of parsing an HTTP header, passing on the MIME type as specified by the Content-Type header. If that header is missing, this event is still raised with a default value of text/plain.

See Wikipedia for more information about the HTTP protocol.

C: The connection.
Is_orig: True if the entity was sent by the originator of the TCP connection.
Ty: The main type.
Subty: The subtype.

Note

This event is also raised for headers found in nested body entities.

http_message_done¶

Type: event (c: connection, is_orig: bool, stat: http_message_stat)

Generated once at the end of parsing an HTTP message. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. A “message” is one top-level HTTP entity, such as a complete request or reply. Each message can have further nested sub-entities inside. This event is raised once all sub-entities belonging to a top-level message have been processed (and their corresponding http_entity_* events generated).

See Wikipedia for more information about the HTTP protocol.

C: The connection.
Is_orig: True if the entity was sent by the originator of the TCP connection.
Stat: Further meta information about the message.

http_event¶

Type: event (c: connection, event_type: string, detail: string)

Generated for errors found when decoding HTTP requests or replies.

See Wikipedia for more information about the HTTP protocol.

C: The connection.
Event_type: A string describing the general category of the problem found (e.g., illegal format).
Detail: Further more detailed description of the error.

http_stats¶

Type: event (c: connection, stats: http_stats_rec)

Generated at the end of an HTTP session to report statistics about it. This event is raised after all of an HTTP session’s requests and replies have been fully processed.

C: The connection.
Stats: Statistics summarizing HTTP-level properties of the finished connection.

http_connection_upgrade¶

Type: event (c: connection, protocol: string)

Generated when a HTTP session is upgraded to a different protocol (e.g. websocket). This event is raised when a server replies with a HTTP 101 reply. No more HTTP events will be raised after this event.

C: The connection.
Protocol: The protocol to which the connection is switching.

Functions¶

skip_http_entity_data¶

Type: function (c: connection, is_orig: bool) : any

Skips the data of the HTTP entity.

C: The HTTP connection.
Is_orig: If true, the client data is skipped, and the server data otherwise.

Zeek::Ident¶

Ident analyzer

Components¶

Analyzer::ANALYZER_IDENT

Events¶

ident_request¶

Type: event (c: connection, lport: port, rport: port)

Generated for Ident requests.

See Wikipedia for more information about the Ident protocol.

C: The connection.
Lport: The request’s local port.
Rport: The request’s remote port.

Zeek::IMAP¶

IMAP analyzer (StartTLS only)

Components¶

Analyzer::ANALYZER_IMAP

Events¶

imap_capabilities¶

Type: event (c: connection, capabilities: string_vec)

Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command.

C: The connection.
Capabilities: The list of IMAP capabilities as sent by the server.

imap_starttls¶

Type: event (c: connection)

Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server.

C: The connection.

Zeek::IRC¶

IRC analyzer

Components¶

Analyzer::ANALYZER_IRC

Events¶

irc_request¶

Type: event (c: connection, is_orig: bool, prefix: string, command: string, arguments: string)

Generated for all client-side IRC commands.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: Always true.
Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Command: The command.
Arguments: The arguments for the command.

Note

This event is generated only for messages that originate at the client-side. Commands coming in from remote trigger the irc_message event instead.

irc_reply¶

Type: event (c: connection, is_orig: bool, prefix: string, code: count, params: string)

Generated for all IRC replies. IRC replies are sent in response to a request and come with a reply code.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Prefix: The optional prefix coming with the reply. IRC uses the prefix to indicate the true origin of a message.
Code: The reply code, as specified by the protocol.
Params: The reply’s parameters.

irc_message¶

Type: event (c: connection, is_orig: bool, prefix: string, command: string, message: string)

Generated for IRC commands forwarded from the server to the client.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: Always false.
Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Command: The command.
Message: TODO.

Note

This event is generated only for messages that are forwarded by the server to the client. Commands coming from client trigger the irc_request event instead.

irc_quit_message¶

Type: event (c: connection, is_orig: bool, nick: string, message: string)

Generated for IRC messages of type quit. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Nick: The nickname coming with the message.
Message: The text included with the message.

irc_privmsg_message¶

Type: event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type privmsg. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Source: The source of the private communication.
Target: The target of the private communication.
Message: The text of communication.

irc_notice_message¶

Type: event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type notice. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Source: The source of the private communication.
Target: The target of the private communication.
Message: The text of communication.

irc_squery_message¶

Type: event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type squery. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Source: The source of the private communication.
Target: The target of the private communication.
Message: The text of communication.

irc_join_message¶

Type: event (c: connection, is_orig: bool, info_list: irc_join_list)

Generated for IRC messages of type join. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Info_list: The user information coming with the command.

irc_part_message¶

Type: event (c: connection, is_orig: bool, nick: string, chans: string_set, message: string)

Generated for IRC messages of type part. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Nick: The nickname coming with the message.
Chans: The set of channels affected.
Message: The text coming with the message.

irc_nick_message¶

Type: event (c: connection, is_orig: bool, who: string, newnick: string)

Generated for IRC messages of type nick. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Who: The user changing its nickname.
Newnick: The new nickname.

irc_invalid_nick¶

Type: event (c: connection, is_orig: bool)

Generated when a server rejects an IRC nickname.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.

irc_network_info¶

Type: event (c: connection, is_orig: bool, users: count, services: count, servers: count)

Generated for an IRC reply of type luserclient.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Users: The number of users as returned in the reply.
Services: The number of services as returned in the reply.
Servers: The number of servers as returned in the reply.

irc_server_info¶

Type: event (c: connection, is_orig: bool, users: count, services: count, servers: count)

Generated for an IRC reply of type luserme.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Users: The number of users as returned in the reply.
Services: The number of services as returned in the reply.
Servers: The number of servers as returned in the reply.

irc_channel_info¶

Type: event (c: connection, is_orig: bool, chans: count)

Generated for an IRC reply of type luserchannels.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Chans: The number of channels as returned in the reply.

irc_who_line¶

Type: event (c: connection, is_orig: bool, target_nick: string, channel: string, user: string, host: string, server: string, nick: string, params: string, hops: count, real_name: string)

Generated for an IRC reply of type whoreply.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Target_nick: The target nickname.
Channel: The channel.
User: The user.
Host: The host.
Server: The server.
Nick: The nickname.
Params: The parameters.
Hops: The hop count.
Real_name: The real name.

irc_names_info¶

Type: event (c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)

Generated for an IRC reply of type namereply.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
C_type: The channel type.
Channel: The channel.
Users: The set of users.

irc_whois_operator_line¶

Type: event (c: connection, is_orig: bool, nick: string)

Generated for an IRC reply of type whoisoperator.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Nick: The nickname specified in the reply.

irc_whois_channel_line¶

Type: event (c: connection, is_orig: bool, nick: string, chans: string_set)

Generated for an IRC reply of type whoischannels.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Nick: The nickname specified in the reply.
Chans: The set of channels returned.

irc_whois_user_line¶

Type: event (c: connection, is_orig: bool, nick: string, user: string, host: string, real_name: string)

Generated for an IRC reply of type whoisuser.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Nick: The nickname specified in the reply.
User: The user name specified in the reply.
Host: The host name specified in the reply.
Real_name: The real name specified in the reply.

irc_oper_response¶

Type: event (c: connection, is_orig: bool, got_oper: bool)

Generated for IRC replies of type youreoper and nooperhost.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Got_oper: True if the oper command was executed successfully (youreport) and false otherwise (nooperhost).

irc_global_users¶

Type: event (c: connection, is_orig: bool, prefix: string, msg: string)

Generated for an IRC reply of type globalusers.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Msg: The message coming with the reply.

irc_channel_topic¶

Type: event (c: connection, is_orig: bool, channel: string, topic: string)

Generated for an IRC reply of type topic.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Channel: The channel name specified in the reply.
Topic: The topic specified in the reply.

irc_who_message¶

Type: event (c: connection, is_orig: bool, mask: string, oper: bool)

Generated for IRC messages of type who. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Mask: The mask specified in the message.
Oper: True if the operator flag was set.

irc_whois_message¶

Type: event (c: connection, is_orig: bool, server: string, users: string)

Generated for IRC messages of type whois. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Server: TODO.
Users: TODO.

irc_oper_message¶

Type: event (c: connection, is_orig: bool, user: string, password: string)

Generated for IRC messages of type oper. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
User: The user specified in the message.
Password: The password specified in the message.

irc_kick_message¶

Type: event (c: connection, is_orig: bool, prefix: string, chans: string, users: string, comment: string)

Generated for IRC messages of type kick. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Chans: The channels specified in the message.
Users: The users specified in the message.
Comment: The comment specified in the message.

irc_error_message¶

Type: event (c: connection, is_orig: bool, prefix: string, message: string)

Generated for IRC messages of type error. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Message: The textual description specified in the message.

irc_invite_message¶

Type: event (c: connection, is_orig: bool, prefix: string, nickname: string, channel: string)

Generated for IRC messages of type invite. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Nickname: The nickname specified in the message.
Channel: The channel specified in the message.

irc_mode_message¶

Type: event (c: connection, is_orig: bool, prefix: string, params: string)

Generated for IRC messages of type mode. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Params: The parameters coming with the message.

irc_squit_message¶

Type: event (c: connection, is_orig: bool, prefix: string, server: string, message: string)

Generated for IRC messages of type squit. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Server: The server specified in the message.
Message: The textual description specified in the message.

irc_dcc_message ¶

Type: event (c: connection, is_orig: bool, prefix: string, target: string, dcc_type: string, argument: string, address: addr, dest_port: count, size: count)

Generated for IRC messages of type dcc. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
Target: The target specified in the message.
Dcc_type: The DCC type specified in the message.
Argument: The argument specified in the message.
Address: The address specified in the message.
Dest_port: The destination port specified in the message.
Size: The size specified in the message.

irc_user_message¶

Type: event (c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string)

Generated for IRC messages of type user. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
User: The user specified in the message.
Host: The host name specified in the message.
Server: The server name specified in the message.
Real_name: The real name specified in the message.

irc_password_message¶

Type: event (c: connection, is_orig: bool, password: string)

Generated for IRC messages of type password. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C: The connection.
Is_orig: True if the command was sent by the originator of the TCP connection.
Password: The password specified in the message.

irc_starttls¶

Type: event (c: connection)

Generated if an IRC connection switched to TLS using STARTTLS. After this event no more IRC events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.

C: The connection.

Zeek::KRB¶

Kerberos analyzer

Components¶

Analyzer::ANALYZER_KRB

Analyzer::ANALYZER_KRB_TCP

Options/Constants¶

KRB::keytab ¶

Type: string
Attributes: &redef
Default: ""

Kerberos keytab file name. Used to decrypt tickets encountered on the wire.

Types¶

KRB::Error_Msg ¶

Type

record

pvno: count &optional: Protocol version number (5 for KRB5)
msg_type: count &optional: The message type (30 for ERROR_MSG)
client_time: time &optional: Current time on the client
server_time: time &optional: Current time on the server
error_code: count: The specific error code
client_realm: string &optional: Realm of the ticket
client_name: string &optional: Name on the ticket
service_realm: string &optional: Realm of the service
service_name: string &optional: Name of the service
error_text: string &optional: Additional text to explain the error
pa_data: vector of KRB::Type_Value &optional: Optional pre-authentication data

The data from the ERROR_MSG message. See RFC 4120.

KRB::SAFE_Msg ¶

Type

record

pvno: count: Protocol version number (5 for KRB5)
msg_type: count: The message type (20 for SAFE_MSG)
data: string: The application-specific data that is being passed from the sender to the reciever
timestamp: time &optional: Current time from the sender of the message
seq: count &optional: Sequence number used to detect replays
sender: KRB::Host_Address &optional: Sender address
recipient: KRB::Host_Address &optional: Recipient address

The data from the SAFE message. See RFC 4120.

KRB::KDC_Options ¶

Type

record

forwardable: bool: The ticket to be issued should have its forwardable flag set.
forwarded: bool: A (TGT) request for forwarding.
proxiable: bool: The ticket to be issued should have its proxiable flag set.
proxy: bool: A request for a proxy.
allow_postdate: bool: The ticket to be issued should have its may-postdate flag set.
postdated: bool: A request for a postdated ticket.
renewable: bool: The ticket to be issued should have its renewable flag set.
opt_hardware_auth: bool: Reserved for opt_hardware_auth
disable_transited_check: bool: Request that the KDC not check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT.
renewable_ok: bool: If a ticket with the requested lifetime cannot be issued, a renewable ticket is acceptable
enc_tkt_in_skey: bool: The ticket for the end server is to be encrypted in the session key from the additional TGT provided
renew: bool: The request is for a renewal
validate: bool: The request is to validate a postdated ticket.

KDC Options. See RFC 4120

KRB::AP_Options ¶

Type

record

use_session_key: bool: Indicates that user-to-user-authentication is in use
mutual_required: bool: Mutual authentication is required

AP Options. See RFC 4120

KRB::Type_Value ¶

Type

record

data_type: count: The data type
val: string: The data value

Used in a few places in the Kerberos analyzer for elements that have a type and a string value.

KRB::Ticket ¶

Type

record

pvno: count: Protocol version number (5 for KRB5)
realm: string: Realm
service_name: string: Name of the service
cipher: count: Cipher the ticket was encrypted with
ciphertext: string &optional: Cipher text of the ticket
authenticationinfo: string &optional: Authentication info

A Kerberos ticket. See RFC 4120.

KRB::Ticket_Vector ¶

Type: vector of KRB::Ticket

KRB::Host_Address ¶

Type

record

ip: addr &log &optional: IPv4 or IPv6 address
netbios: string &log &optional: NetBIOS address
unknown: KRB::Type_Value &optional: Some other type that we don’t support yet

A Kerberos host address See RFC 4120.

KRB::KDC_Request ¶

Type

record

pvno: count: Protocol version number (5 for KRB5)
msg_type: count: The message type (10 for AS_REQ, 12 for TGS_REQ)
pa_data: vector of KRB::Type_Value &optional: Optional pre-authentication data
kdc_options: KRB::KDC_Options &optional: Options specified in the request
client_name: string &optional: Name on the ticket
service_realm: string &optional: Realm of the service
service_name: string &optional: Name of the service
from: time &optional: Time the ticket is good from
till: time &optional: Time the ticket is good till
rtime: time &optional: The requested renew-till time
nonce: count &optional: A random nonce generated by the client
encryption_types: vector of count &optional: The desired encryption algorithms, in order of preference
host_addrs: vector of KRB::Host_Address &optional: Any additional addresses the ticket should be valid for
additional_tickets: vector of KRB::Ticket &optional: Additional tickets may be included for certain transactions

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

KRB::KDC_Response ¶

Type

record

pvno: count: Protocol version number (5 for KRB5)
msg_type: count: The message type (11 for AS_REP, 13 for TGS_REP)
pa_data: vector of KRB::Type_Value &optional: Optional pre-authentication data
client_realm: string &optional: Realm on the ticket
client_name: string: Name on the service
ticket: KRB::Ticket: The ticket that was issued

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

Events¶

krb_as_request ¶

Type: event (c: connection, msg: KRB::KDC_Request)

A Kerberos 5 Authentication Server (AS) Request as defined in RFC 4120. The AS request contains a username of the client requesting authentication, and returns an AS reply with an encrypted Ticket Granting Ticket (TGT) for that user. The TGT can then be used to request further tickets for other services.

See Wikipedia for more information about the Kerberos protocol.

C: The connection over which this Kerberos message was sent.
Msg: A Kerberos KDC request message data structure.

krb_as_response¶

Type: event (c: connection, msg: KRB::KDC_Response)

A Kerberos 5 Authentication Server (AS) Response as defined in RFC 4120. Following the AS request for a user, an AS reply contains an encrypted Ticket Granting Ticket (TGT) for that user. The TGT can then be used to request further tickets for other services.

See Wikipedia for more information about the Kerberos protocol.

C: The connection over which this Kerberos message was sent.
Msg: A Kerberos KDC reply message data structure.

krb_tgs_request ¶

Type: event (c: connection, msg: KRB::KDC_Request)

A Kerberos 5 Ticket Granting Service (TGS) Request as defined in RFC 4120. Following the Authentication Server exchange, if successful, the client now has a Ticket Granting Ticket (TGT). To authenticate to a Kerberized service, the client requests a Service Ticket, which will be returned in the TGS reply.

See Wikipedia for more information about the Kerberos protocol.

C: The connection over which this Kerberos message was sent.
Msg: A Kerberos KDC request message data structure.

krb_tgs_response¶

Type: event (c: connection, msg: KRB::KDC_Response)

A Kerberos 5 Ticket Granting Service (TGS) Response as defined in RFC 4120. This message returns a Service Ticket to the client, which is encrypted with the service’s long-term key, and which the client can use to authenticate to that service.

See Wikipedia for more information about the Kerberos protocol.

C: The connection over which this Kerberos message was sent.
Msg: A Kerberos KDC reply message data structure.

krb_ap_request¶

Type: event (c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)

A Kerberos 5 Authentication Header (AP) Request as defined in RFC 4120. This message contains authentication information that should be part of the first message in an authenticated transaction.

See Wikipedia for more information about the Kerberos protocol.

C: The connection over which this Kerberos message was sent.
Ticket: The Kerberos ticket being used for authentication.
Opts: A Kerberos AP options data structure.

krb_ap_response¶

Type: event (c: connection)

A Kerberos 5 Authentication Header (AP) Response as defined in RFC 4120. This is used if mutual authentication is desired. All of the interesting information in here is encrypted, so the event doesn’t have much useful data, but it’s provided in case it’s important to know that this message was sent.

See Wikipedia for more information about the Kerberos protocol.

C: The connection over which this Kerberos message was sent.

krb_priv¶

Type: event (c: connection, is_orig: bool)

A Kerberos 5 Private Message as defined in RFC 4120. This is a private (encrypted) application message, so the event doesn’t have much useful data, but it’s provided in case it’s important to know that this message was sent.

See Wikipedia for more information about the Kerberos protocol.

C: The connection over which this Kerberos message was sent.
Is_orig: Whether the originator of the connection sent this message.

krb_safe¶

Type: event (c: connection, is_orig: bool, msg: KRB::SAFE_Msg)

A Kerberos 5 Safe Message as defined in RFC 4120. This is a safe (checksummed) application message.

See Wikipedia for more information about the Kerberos protocol.

C: The connection over which this Kerberos message was sent.
Is_orig: Whether the originator of the connection sent this message.
Msg: A Kerberos SAFE message data structure.

krb_cred¶

Type: event (c: connection, is_orig: bool, tickets: KRB::Ticket_Vector)

A Kerberos 5 Credential Message as defined in RFC 4120. This is a private (encrypted) message to forward credentials.

See Wikipedia for more information about the Kerberos protocol.

C: The connection over which this Kerberos message was sent.
Is_orig: Whether the originator of the connection sent this message.
Tickets: Tickets obtained from the KDC that are being forwarded.

krb_error¶

Type: event (c: connection, msg: KRB::Error_Msg)

A Kerberos 5 Error Message as defined in RFC 4120.

See Wikipedia for more information about the Kerberos protocol.

C: The connection over which this Kerberos message was sent.
Msg: A Kerberos error message data structure.

Zeek::Login¶

Telnet/Rsh/Rlogin analyzers

Components¶

Analyzer::ANALYZER_CONTENTS_RLOGIN

Analyzer::ANALYZER_CONTENTS_RSH

Analyzer::ANALYZER_LOGIN

Analyzer::ANALYZER_NVT

Analyzer::ANALYZER_RLOGIN

Analyzer::ANALYZER_RSH

Analyzer::ANALYZER_TELNET

Events¶

rsh_request¶

Type: event (c: connection, client_user: string, server_user: string, line: string, new_session: bool)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

C: The connection.
Client_user: The client-side user name as sent in the initial protocol handshake.
Server_user: The server-side user name as sent in the initial protocol handshake.
Line: The command line sent in the request.
New_session: True if this is the first command of the Rsh session.

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

rsh_reply¶

Type: event (c: connection, client_user: string, server_user: string, line: string)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

C: The connection.
Client_user: The client-side user name as sent in the initial protocol handshake.
Server_user: The server-side user name as sent in the initial protocol handshake.
Line: The command line sent in the request.

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

login_failure¶

Type: event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.

C: The connection.
User: The user name tried.
Client_user: For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).
Password: The password tried.
Line: The line of text that led the analyzer to conclude that the authentication had failed.

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeeks’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_success¶

Type: event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.

C: The connection.
User: The user name used.
Client_user: For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).
Password: The password used.
Line: The line of text that led the analyzer to conclude that the authentication had succeeded.

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_input_line¶

Type: event (c: connection, line: string)

Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

C: The connection.
Line: The input line.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_output_line¶

Type: event (c: connection, line: string)

Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

C: The connection.
Line: The ouput line.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_confused¶

Type: event (c: connection, msg: string, line: string)

Generated when tracking of Telnet/Rlogin authentication failed. As Zeek’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.

C: The connection.
Msg: Gives the particular problem the heuristics detected (for example, multiple_login_prompts means that the engine saw several login prompts in a row, without the type-ahead from the client side presumed necessary to cause them)
Line: The line of text that caused the heuristics to conclude they were confused.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_confused_text¶

Type: event (c: connection, line: string)

Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. The login analyzer generates this even for every line of user input after it has reported login_confused for a connection.

C: The connection.
Line: The line the user typed.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_terminal¶

Type: event (c: connection, terminal: string)

Generated for clients transmitting a terminal type in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

C: The connection.
Terminal: The TERM value transmitted.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_display¶

Type: event (c: connection, display: string)

Generated for clients transmitting an X11 DISPLAY in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

C: The connection.
Display: The DISPLAY transmitted.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_accepted¶

Type: event (name: string, c: connection)

Generated when a Telnet authentication has been successful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it accepts the authentication, then the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Name: The authenticated name.
C: The connection.

Note

This event inspects the corresponding Telnet option while login_success heuristically determines success by watching session data.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_rejected¶

Type: event (name: string, c: connection)

Generated when a Telnet authentication has been unsuccessful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it did not accept the authentication, then the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Name: The attempted authentication name.
C: The connection.

Note

This event inspects the corresponding Telnet option while login_success heuristically determines failure by watching session data.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_skipped¶

Type: event (c: connection)

Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.

See Wikipedia for more information about the Telnet protocol.

C: The connection.

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying activity. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_prompt¶

Type: event (c: connection, prompt: string)

Generated for clients transmitting a terminal prompt in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

See Wikipedia for more information about the Telnet protocol.

C: The connection.
Prompt: The TTYPROMPT transmitted.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

activating_encryption¶

Type: event (c: connection)

Generated for Telnet sessions when encryption is activated. The Telnet protocol includes options for negotiating encryption. When such a series of options is successfully negotiated, the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

C: The connection.

inconsistent_option¶

Type: event (c: connection)

Generated for an inconsistent Telnet option. Telnet options are specified by the client and server stating which options they are willing to support vs. which they are not, and then instructing one another which in fact they should or should not use for the current connection. If the event engine sees a peer violate either what the other peer has instructed it to do, or what it itself offered in terms of options in the past, then the engine generates this event.

See Wikipedia for more information about the Telnet protocol.

C: The connection.

bad_option¶

Type: event<