Protocol Analyzers¶
-
Analyzer::Tag
¶ Type: -
Analyzer::ANALYZER_AYIYA
¶
-
Analyzer::ANALYZER_BITTORRENT
¶
-
Analyzer::ANALYZER_BITTORRENTTRACKER
¶
-
Analyzer::ANALYZER_CONNSIZE
¶
-
Analyzer::ANALYZER_DCE_RPC
¶
-
Analyzer::ANALYZER_DHCP
¶
-
Analyzer::ANALYZER_DNP3_TCP
¶
-
Analyzer::ANALYZER_DNP3_UDP
¶
-
Analyzer::ANALYZER_CONTENTS_DNS
¶
-
Analyzer::ANALYZER_DNS
¶
-
Analyzer::ANALYZER_FTP_DATA
¶
-
Analyzer::ANALYZER_IRC_DATA
¶
-
Analyzer::ANALYZER_FINGER
¶
-
Analyzer::ANALYZER_FTP
¶
-
Analyzer::ANALYZER_FTP_ADAT
¶
-
Analyzer::ANALYZER_GNUTELLA
¶
-
Analyzer::ANALYZER_GSSAPI
¶
-
Analyzer::ANALYZER_GTPV1
¶
-
Analyzer::ANALYZER_HTTP
¶
-
Analyzer::ANALYZER_ICMP
¶
-
Analyzer::ANALYZER_IDENT
¶
-
Analyzer::ANALYZER_IMAP
¶
-
Analyzer::ANALYZER_IRC
¶
-
Analyzer::ANALYZER_KRB
¶
-
Analyzer::ANALYZER_KRB_TCP
¶
-
Analyzer::ANALYZER_CONTENTS_RLOGIN
¶
-
Analyzer::ANALYZER_CONTENTS_RSH
¶
-
Analyzer::ANALYZER_LOGIN
¶
-
Analyzer::ANALYZER_NVT
¶
-
Analyzer::ANALYZER_RLOGIN
¶
-
Analyzer::ANALYZER_RSH
¶
-
Analyzer::ANALYZER_TELNET
¶
-
Analyzer::ANALYZER_MODBUS
¶
-
Analyzer::ANALYZER_MQTT
¶
-
Analyzer::ANALYZER_MYSQL
¶
-
Analyzer::ANALYZER_CONTENTS_NCP
¶
-
Analyzer::ANALYZER_NCP
¶
-
Analyzer::ANALYZER_CONTENTS_NETBIOSSSN
¶
-
Analyzer::ANALYZER_NETBIOSSSN
¶
-
Analyzer::ANALYZER_NTLM
¶
-
Analyzer::ANALYZER_NTP
¶
-
Analyzer::ANALYZER_PIA_TCP
¶
-
Analyzer::ANALYZER_PIA_UDP
¶
-
Analyzer::ANALYZER_POP3
¶
-
Analyzer::ANALYZER_RADIUS
¶
-
Analyzer::ANALYZER_RDP
¶
-
Analyzer::ANALYZER_RDPEUDP
¶
-
Analyzer::ANALYZER_RFB
¶
-
Analyzer::ANALYZER_CONTENTS_NFS
¶
-
Analyzer::ANALYZER_CONTENTS_RPC
¶
-
Analyzer::ANALYZER_MOUNT
¶
-
Analyzer::ANALYZER_NFS
¶
-
Analyzer::ANALYZER_PORTMAPPER
¶
-
Analyzer::ANALYZER_SIP
¶
-
Analyzer::ANALYZER_CONTENTS_SMB
¶
-
Analyzer::ANALYZER_SMB
¶
-
Analyzer::ANALYZER_SMTP
¶
-
Analyzer::ANALYZER_SNMP
¶
-
Analyzer::ANALYZER_SOCKS
¶
-
Analyzer::ANALYZER_SSH
¶
-
Analyzer::ANALYZER_DTLS
¶
-
Analyzer::ANALYZER_SSL
¶
-
Analyzer::ANALYZER_STEPPINGSTONE
¶
-
Analyzer::ANALYZER_SYSLOG
¶
-
Analyzer::ANALYZER_CONTENTLINE
¶
-
Analyzer::ANALYZER_CONTENTS
¶
-
Analyzer::ANALYZER_TCP
¶
-
Analyzer::ANALYZER_TCPSTATS
¶
-
Analyzer::ANALYZER_TEREDO
¶
-
Analyzer::ANALYZER_UDP
¶
-
Analyzer::ANALYZER_VXLAN
¶
-
Analyzer::ANALYZER_XMPP
¶
-
Analyzer::ANALYZER_ZIP
¶
-
Zeek::ARP¶
ARP Parsing
Components¶
Events¶
-
arp_request
¶ Type: event
(mac_src:string
, mac_dst:string
, SPA:addr
, SHA:string
, TPA:addr
, THA:string
)Generated for ARP requests.
See Wikipedia for more information about the ARP protocol.
Mac_src: The request’s source MAC address. Mac_dst: The request’s destination MAC address. SPA: The sender protocol address. SHA: The sender hardware address. TPA: The target protocol address. THA: The target hardware address.
-
arp_reply
¶ Type: event
(mac_src:string
, mac_dst:string
, SPA:addr
, SHA:string
, TPA:addr
, THA:string
)Generated for ARP replies.
See Wikipedia for more information about the ARP protocol.
Mac_src: The reply’s source MAC address. Mac_dst: The reply’s destination MAC address. SPA: The sender protocol address. SHA: The sender hardware address. TPA: The target protocol address. THA: The target hardware address. See also:
arp_request
,bad_arp
-
bad_arp
¶ Type: event
(SPA:addr
, SHA:string
, TPA:addr
, THA:string
, explanation:string
)Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.
SPA: The sender protocol address. SHA: The sender hardware address. TPA: The target protocol address. THA: The target hardware address. Explanation: A short description of why the ARP packet is considered “bad”. See also:
arp_reply
,arp_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::BitTorrent¶
BitTorrent Analyzer
Events¶
-
bittorrent_peer_handshake
¶ Type: event
(c:connection
, is_orig:bool
, reserved:string
, info_hash:string
, peer_id:string
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_keep_alive
¶ Type: event
(c:connection
, is_orig:bool
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_choke
¶ Type: event
(c:connection
, is_orig:bool
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_unchoke
¶ Type: event
(c:connection
, is_orig:bool
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_interested
¶ Type: event
(c:connection
, is_orig:bool
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_not_interested
¶ Type: event
(c:connection
, is_orig:bool
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_have
¶ Type: event
(c:connection
, is_orig:bool
, piece_index:count
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_bitfield
¶ Type: event
(c:connection
, is_orig:bool
, bitfield:string
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_request
¶ Type: event
(c:connection
, is_orig:bool
, index:count
, begin:count
, length:count
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_piece
¶ Type: event
(c:connection
, is_orig:bool
, index:count
, begin:count
, piece_length:count
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_cancel
¶ Type: event
(c:connection
, is_orig:bool
, index:count
, begin:count
, length:count
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_port
¶ Type: event
(c:connection
, is_orig:bool
, listen_port:port
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bittorrent_peer_unknown
¶ Type: event
(c:connection
, is_orig:bool
, message_id:count
, data:string
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_weird
-
bittorrent_peer_weird
¶ Type: event
(c:connection
, is_orig:bool
, msg:string
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
-
bt_tracker_request
¶ Type: event
(c:connection
, uri:string
, headers:bt_tracker_headers
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bt_tracker_response
¶ Type: event
(c:connection
, status:count
, headers:bt_tracker_headers
, peers:bittorrent_peer_set
, benc:bittorrent_benc_dir
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bt_tracker_response_not_ok
¶ Type: event
(c:connection
, status:count
, headers:bt_tracker_headers
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
-
bt_tracker_weird
¶ Type: event
(c:connection
, is_orig:bool
, msg:string
)TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
Zeek::ConnSize¶
Connection size analyzer
Components¶
Events¶
-
conn_bytes_threshold_crossed
¶ Type: event
(c:connection
, threshold:count
, is_orig:bool
)Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use
ConnThreshold::bytes_threshold_crossed
instead.C: the connection Threshold: the threshold that was set Is_orig: true if the threshold was crossed by the originator of the connection See also:
set_current_conn_packets_threshold
,set_current_conn_bytes_threshold
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,conn_duration_threshold_crossed
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
-
conn_packets_threshold_crossed
¶ Type: event
(c:connection
, threshold:count
, is_orig:bool
)Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use
ConnThreshold::packets_threshold_crossed
instead.C: the connection Threshold: the threshold that was set Is_orig: true if the threshold was crossed by the originator of the connection See also:
set_current_conn_packets_threshold
,set_current_conn_bytes_threshold
,conn_bytes_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,conn_duration_threshold_crossed
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
-
conn_duration_threshold_crossed
¶ Type: event
(c:connection
, threshold:interval
, is_orig:bool
)Generated for a connection that crossed a set duration threshold. Note that this is a low level event that should usually be avoided for user code. Use
ConnThreshold::duration_threshold_crossed
instead.Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.
C: the connection Threshold: the threshold that was set Is_orig: true if the threshold was crossed by the originator of the connection See also:
set_current_conn_packets_threshold
,set_current_conn_bytes_threshold
,conn_bytes_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
Functions¶
-
set_current_conn_bytes_threshold
¶ Type: function
(cid:conn_id
, threshold:count
, is_orig:bool
) :bool
Sets the current byte threshold for connection sizes, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (
ConnThreshold::set_bytes_threshold
).Cid: The connection id. Threshold: Threshold in bytes. Is_orig: If true, threshold is set for bytes from originator, otherwhise for bytes from responder. See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
-
set_current_conn_packets_threshold
¶ Type: function
(cid:conn_id
, threshold:count
, is_orig:bool
) :bool
Sets a threshold for connection packets, overwtiting any potential old thresholds. Be aware that in nearly any case you will want to use the high level API instead (
ConnThreshold::set_packets_threshold
).Cid: The connection id. Threshold: Threshold in packets. Is_orig: If true, threshold is set for packets from originator, otherwhise for packets from responder. See also:
set_current_conn_bytes_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
-
set_current_conn_duration_threshold
¶ Type: function
(cid:conn_id
, threshold:interval
) :bool
Sets the current duration threshold for connection, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (
ConnThreshold::set_duration_threshold
).Cid: The connection id. Threshold: Threshold in seconds. See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,get_current_conn_duration_threshold
-
get_current_conn_bytes_threshold
¶ Type: function
(cid:conn_id
, is_orig:bool
) :count
Cid: The connection id. Is_orig: If true, threshold of originator, otherwhise threshold of responder. Returns: 0 if no threshold is set or the threshold in bytes See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
-
get_current_conn_packets_threshold
¶ Type: function
(cid:conn_id
, is_orig:bool
) :count
Gets the current packet threshold size for a connection.
Cid: The connection id. Is_orig: If true, threshold of originator, otherwhise threshold of responder. Returns: 0 if no threshold is set or the threshold in packets See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
-
get_current_conn_duration_threshold
¶ Type: function
(cid:conn_id
) :interval
Gets the current duration threshold size for a connection.
Cid: The connection id. Returns: 0 if no threshold is set or the threshold in seconds See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
Zeek::DCE_RPC¶
DCE-RPC analyzer
Components¶
Options/Constants¶
Types¶
-
DCE_RPC::PType
¶ Type: -
DCE_RPC::REQUEST
¶
-
DCE_RPC::PING
¶
-
DCE_RPC::RESPONSE
¶
-
DCE_RPC::FAULT
¶
-
DCE_RPC::WORKING
¶
-
DCE_RPC::NOCALL
¶
-
DCE_RPC::REJECT
¶
-
DCE_RPC::ACK
¶
-
DCE_RPC::CL_CANCEL
¶
-
DCE_RPC::FACK
¶
-
DCE_RPC::CANCEL_ACK
¶
-
DCE_RPC::BIND
¶
-
DCE_RPC::BIND_ACK
¶
-
DCE_RPC::BIND_NAK
¶
-
DCE_RPC::ALTER_CONTEXT
¶
-
DCE_RPC::ALTER_CONTEXT_RESP
¶
-
DCE_RPC::AUTH3
¶
-
DCE_RPC::SHUTDOWN
¶
-
DCE_RPC::CO_CANCEL
¶
-
DCE_RPC::ORPHANED
¶
-
DCE_RPC::RTS
¶
-
Events¶
-
dce_rpc_message
¶ Type: event
(c:connection
, is_orig:bool
, fid:count
, ptype_id:count
, ptype:DCE_RPC::PType
)Generated for every DCE-RPC message.
C: The connection. Is_orig: True if the message was sent by the originator of the TCP connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ptype_id: Numeric representation of the procedure type of the message. Ptype: Enum representation of the prodecure type of the message. See also:
dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
-
dce_rpc_bind
¶ Type: event
(c:connection
, fid:count
, ctx_id:count
, uuid:string
, ver_major:count
, ver_minor:count
)Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Uuid: The string interpretted uuid of the endpoint being requested. Ver_major: The major version of the endpoint being requested. Ver_minor: The minor version of the endpoint being requested. See also:
dce_rpc_message
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
-
dce_rpc_alter_context
¶ Type: event
(c:connection
, fid:count
, ctx_id:count
, uuid:string
, ver_major:count
, ver_minor:count
)Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Uuid: The string interpretted uuid of the endpoint being requested. Ver_major: The major version of the endpoint being requested. Ver_minor: The minor version of the endpoint being requested. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
,dce_rpc_alter_context_resp
-
dce_rpc_bind_ack
¶ Type: event
(c:connection
, fid:count
, sec_addr:string
)Generated for every DCE-RPC bind request ack message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Sec_addr: Secondary address for the ack. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_request
,dce_rpc_response
-
dce_rpc_alter_context_resp
¶ Type: event
(c:connection
, fid:count
)Generated for every DCE-RPC alter context response message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
,dce_rpc_alter_context
-
dce_rpc_request
¶ Type: event
(c:connection
, fid:count
, ctx_id:count
, opnum:count
, stub_len:count
)Generated for every DCE-RPC request message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Opnum: Number of the RPC operation. Stub_len: Length of the data for the request. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_response
-
dce_rpc_response
¶ Type: event
(c:connection
, fid:count
, ctx_id:count
, opnum:count
, stub_len:count
)Generated for every DCE-RPC response message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Opnum: Number of the RPC operation. Stub_len: Length of the data for the response. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
Zeek::DHCP¶
DHCP analyzer
Components¶
Types¶
-
DHCP::Msg
¶ Type: - op:
count
Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
- m_type:
count
The type of DHCP message.
- xid:
count
Transaction ID of a DHCP session.
- secs:
interval
Number of seconds since client began address acquisition or renewal process
flags:
count
- ciaddr:
addr
Original IP address of the client.
- yiaddr:
addr
IP address assigned to the client.
- siaddr:
addr
IP address of the server.
- giaddr:
addr
IP address of the relaying gateway.
- chaddr:
string
Client hardware address.
- sname:
string
&default
=""
&optional
Server host name.
- file_n:
string
&default
=""
&optional
Boot file name.
A DHCP message. .. zeek:see:: dhcp_message
- op:
-
DHCP::Addrs
¶ Type: vector
ofaddr
A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.
See also:
dhcp_message
-
DHCP::SubOpt
¶ Type: code:
count
value:
string
DHCP Relay Agent Information Option (Option 82) .. zeek:see:: dhcp_message
-
DHCP::SubOpts
¶ Type: vector
ofDHCP::SubOpt
-
DHCP::ClientFQDN
¶ Type: DHCP Client FQDN Option information (Option 81)
-
DHCP::ClientID
¶ Type: hwtype:
count
hwaddr:
string
DHCP Client Identifier (Option 61) .. zeek:see:: dhcp_message
-
DHCP::Options
¶ Type: - options:
index_vec
&optional
The ordered list of all DHCP option numbers.
- subnet_mask:
addr
&optional
Subnet Mask Value (option 1)
- routers:
DHCP::Addrs
&optional
Router addresses (option 3)
- dns_servers:
DHCP::Addrs
&optional
DNS Server addresses (option 6)
- host_name:
string
&optional
The Hostname of the client (option 12)
- domain_name:
string
&optional
The DNS domain name of the client (option 15)
- forwarding:
bool
&optional
Enable/Disable IP Forwarding (option 19)
- broadcast:
addr
&optional
Broadcast Address (option 28)
- vendor:
string
&optional
Vendor specific data. This can frequently be unparsed binary data. (option 43)
- nbns:
DHCP::Addrs
&optional
NETBIOS name server list (option 44)
- addr_request:
addr
&optional
Address requested by the client (option 50)
- lease:
interval
&optional
Lease time offered by the server. (option 51)
- serv_addr:
addr
&optional
Server address to allow clients to distinguish between lease offers. (option 54)
- param_list:
index_vec
&optional
DHCP Parameter Request list (option 55)
- message:
string
&optional
Textual error message (option 56)
- max_msg_size:
count
&optional
Maximum Message Size (option 57)
- renewal_time:
interval
&optional
This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)
- rebinding_time:
interval
&optional
This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)
- vendor_class:
string
&optional
This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)
- client_id:
DHCP::ClientID
&optional
DHCP Client Identifier (Option 61)
- user_class:
string
&optional
User Class opaque value (Option 77)
- client_fqdn:
DHCP::ClientFQDN
&optional
DHCP Client FQDN (Option 81)
- sub_opt:
DHCP::SubOpts
&optional
DHCP Relay Agent Information Option (Option 82)
- auto_config:
bool
&optional
Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)
- auto_proxy_config:
string
&optional
URL to find a proxy.pac for auto proxy config (Option 252)
- time_offset:
int
&optional
The offset of the client’s subnet in seconds from UTC. (Option 2)
- time_servers:
DHCP::Addrs
&optional
A list of RFC 868 time servers available to the client. (Option 4)
- name_servers:
DHCP::Addrs
&optional
A list of IEN 116 name servers available to the client. (Option 5)
- ntp_servers:
DHCP::Addrs
&optional
A list of IP addresses indicating NTP servers available to the client. (Option 42)
- options:
Events¶
-
dhcp_message
¶ Type: event
(c:connection
, is_orig:bool
, msg:DHCP::Msg
, options:DHCP::Options
)Generated for all DHCP messages.
C: The connection record describing the underlying UDP flow. Is_orig: Indicate if the message came in a packet from the originator/client of the udp flow or the responder/server. Msg: The parsed type-independent part of the DHCP message. The message type is indicated in this record. Options: The full set of supported and parsed DHCP options.
Zeek::DNP3¶
DNP3 UDP/TCP analyzers
Events¶
-
dnp3_application_request_header
¶ Type: event
(c:connection
, is_orig:bool
, application:count
, fc:count
)Generated for a DNP3 request header.
C: The connection the DNP3 communication is part of. Is_orig: True if this reflects originator-side activity. Fc: function code.
-
dnp3_application_response_header
¶ Type: event
(c:connection
, is_orig:bool
, application:count
, fc:count
, iin:count
)Generated for a DNP3 response header.
C: The connection the DNP3 communication is part of. Is_orig: True if this reflects originator-side activity. Fc: function code. Iin: internal indication number.
-
dnp3_object_header
¶ Type: event
(c:connection
, is_orig:bool
, obj_type:count
, qua_field:count
, number:count
, rf_low:count
, rf_high:count
)Generated for the object header found in both DNP3 requests and responses.
C: The connection the DNP3 communication is part of. Is_orig: True if this reflects originator-side activity. Obj_type: type of object, which is classified based on an 8-bit group number and an 8-bit variation number. Qua_field: qualifier field. Number: TODO. Rf_low: the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values. Rf_high: in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index.
-
dnp3_object_prefix
¶ Type: event
(c:connection
, is_orig:bool
, prefix_value:count
)Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.
C: The connection the DNP3 communication is part of. Is_orig: True if this reflects originator-side activity. Prefix_value: The prefix.
-
dnp3_header_block
¶ Type: event
(c:connection
, is_orig:bool
, len:count
, ctrl:count
, dest_addr:count
, src_addr:count
)Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).
C: The connection the DNP3 communication is part of. Is_orig: True if this reflects originator-side activity. Len: the “length” field in the DNP3 Pseudo Link Layer. Ctrl: the “control” field in the DNP3 Pseudo Link Layer. Dest_addr: the “destination” field in the DNP3 Pseudo Link Layer. Src_addr: the “source” field in the DNP3 Pseudo Link Layer.
-
dnp3_response_data_object
¶ Type: event
(c:connection
, is_orig:bool
, data_value:count
)Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16_t, or int8_t; thus we use an additional data_value to record the values of those object data.
C: The connection the DNP3 communication is part of. Is_orig: True if this reflects originator-side activity. Data_value: The value for those objects that carry their information here directly.
-
dnp3_attribute_common
¶ Type: event
(c:connection
, is_orig:bool
, data_type_code:count
, leng:count
, attribute_obj:string
)Generated for DNP3 attributes.
-
dnp3_crob
¶ Type: event
(c:connection
, is_orig:bool
, control_code:count
, count8:count
, on_time:count
, off_time:count
, status_code:count
)Generated for DNP3 objects with the group number 12 and variation number 1
CROB: control relay output block
-
dnp3_pcb
¶ Type: event
(c:connection
, is_orig:bool
, control_code:count
, count8:count
, on_time:count
, off_time:count
, status_code:count
)Generated for DNP3 objects with the group number 12 and variation number 2
PCB: Pattern Control Block
-
dnp3_counter_32wFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag
-
dnp3_counter_16wFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag
-
dnp3_counter_32woFlag
¶ Type: event
(c:connection
, is_orig:bool
, count_value:count
)Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag
-
dnp3_counter_16woFlag
¶ Type: event
(c:connection
, is_orig:bool
, count_value:count
)Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag
-
dnp3_frozen_counter_32wFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag
-
dnp3_frozen_counter_16wFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag
-
dnp3_frozen_counter_32wFlagTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
, time48:count
)Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time
-
dnp3_frozen_counter_16wFlagTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
, time48:count
)Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time
-
dnp3_frozen_counter_32woFlag
¶ Type: event
(c:connection
, is_orig:bool
, count_value:count
)Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag
-
dnp3_frozen_counter_16woFlag
¶ Type: event
(c:connection
, is_orig:bool
, count_value:count
)Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag
-
dnp3_analog_input_32wFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value:count
)Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag
-
dnp3_analog_input_16wFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value:count
)Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag
-
dnp3_analog_input_32woFlag
¶ Type: event
(c:connection
, is_orig:bool
, value:count
)Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag
-
dnp3_analog_input_16woFlag
¶ Type: event
(c:connection
, is_orig:bool
, value:count
)Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag
-
dnp3_analog_input_SPwFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value:count
)Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag
-
dnp3_analog_input_DPwFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value_low:count
, value_high:count
)Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag
-
dnp3_frozen_analog_input_32wFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag
-
dnp3_frozen_analog_input_16wFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag
-
dnp3_frozen_analog_input_32wTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
, time48:count
)Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze
-
dnp3_frozen_analog_input_16wTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
, time48:count
)Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze
-
dnp3_frozen_analog_input_32woFlag
¶ Type: event
(c:connection
, is_orig:bool
, frozen_value:count
)Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag
-
dnp3_frozen_analog_input_16woFlag
¶ Type: event
(c:connection
, is_orig:bool
, frozen_value:count
)Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag
-
dnp3_frozen_analog_input_SPwFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag
-
dnp3_frozen_analog_input_DPwFlag
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value_low:count
, frozen_value_high:count
)Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag
-
dnp3_analog_input_event_32woTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value:count
)Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time
-
dnp3_analog_input_event_16woTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value:count
)Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time
-
dnp3_analog_input_event_32wTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value:count
, time48:count
)Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time
-
dnp3_analog_input_event_16wTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value:count
, time48:count
)Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time
-
dnp3_analog_input_event_SPwoTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value:count
)Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time
-
dnp3_analog_input_event_DPwoTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value_low:count
, value_high:count
)Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time
-
dnp3_analog_input_event_SPwTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value:count
, time48:count
)Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time
-
dnp3_analog_input_event_DPwTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, value_low:count
, value_high:count
, time48:count
)Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precisiion float point with time
-
dnp3_frozen_analog_input_event_32woTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time
-
dnp3_frozen_analog_input_event_16woTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time
-
dnp3_frozen_analog_input_event_32wTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
, time48:count
)Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time
-
dnp3_frozen_analog_input_event_16wTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
, time48:count
)Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time
-
dnp3_frozen_analog_input_event_SPwoTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time
-
dnp3_frozen_analog_input_event_DPwoTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value_low:count
, frozen_value_high:count
)Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time
-
dnp3_frozen_analog_input_event_SPwTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
, time48:count
)Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time
-
dnp3_frozen_analog_input_event_DPwTime
¶ Type: event
(c:connection
, is_orig:bool
, flag:count
, frozen_value_low:count
, frozen_value_high:count
, time48:count
)Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time
-
dnp3_file_transport
¶ Type: event
(c:connection
, is_orig:bool
, file_handle:count
, block_num:count
, file_data:string
)g70
-
dnp3_debug_byte
¶ Type: event
(c:connection
, is_orig:bool
, debug:string
)Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.
Zeek::DNS¶
DNS analyzer
Events¶
-
dns_message
¶ Type: event
(c:connection
, is_orig:bool
, msg:dns_msg
, len:count
)Generated for all DNS messages.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Is_orig: True if the message was sent by the originator of the connection. Msg: The parsed DNS message header. Len: The length of the message’s raw representation (i.e., the DNS payload). See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_request
¶ Type: event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)Type: event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)Generated for DNS requests. For requests with multiple queries, this event is raised once for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Query: The queried name (normalized to all lowercase). Qtype: The queried resource record type. Qclass: The queried resource record class. Original_query: The queried name, with the original case kept intact See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_rejected
¶ Type: event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)Type: event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Query: The queried name (normalized to all lowercase). Qtype: The queried resource record type. Qclass: The queried resource record class. Original_query: The queried name, with the original case kept intact See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_query_reply
¶ Type: event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)Type: event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)Generated for each entry in the Question section of a DNS reply.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Query: The queried name. Qtype: The queried resource record type. Qclass: The queried resource record class. Original_query: The queried name, with the original case kept intact See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_A_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. A: The address returned by the reply. See also:
dns_AAAA_reply
,dns_A6_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_AAAA_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. A: The address returned by the reply. See also:
dns_A_reply
,dns_A6_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_A6_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. A: The address returned by the reply. See also:
dns_A_reply
,dns_AAAA_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_NS_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Name: The name returned by the reply. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_CNAME_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Name: The name returned by the reply. See also:
dns_AAAA_reply
,dns_A_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_PTR_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Name: The name returned by the reply. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_SOA_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, soa:dns_soa
)Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Soa: The parsed SOA value. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_WKS_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
)Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_HINFO_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
)Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_MX_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
, preference:count
)Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Name: The name returned by the reply. Preference: The preference for name specified by the reply. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_TXT_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, strs:string_vec
)Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Strs: The textual information returned by the reply. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_SPF_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, strs:string_vec
)Generated for DNS replies of type SPF. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Strs: The textual information returned by the reply. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_CAA_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, flags:count
, tag:string
, value:string
)Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Flags: The flags byte of the CAA reply. Tag: The property identifier of the CAA reply. Value: The property value of the CAA reply.
-
dns_SRV_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, target:string
, priority:count
, weight:count
, p:count
)Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Target: Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot. Priority: Priority of the SRV response – the priority of the target host, lower value means more preferred. Weight: Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred. P: Port of the SRV response – the TCP or UDP port on which the service is to be found. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_unknown_reply
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
)Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_SRV_reply
,dns_end
-
dns_EDNS_addl
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_edns_additional
)Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The parsed EDNS reply. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_EDNS_ecs
¶ Type: event
(c:connection
, msg:dns_msg
, opt:dns_edns_ecs
)Generated for DNS replies of type EDNS. For replies with multiple options, an individual event is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Opt: The parsed EDNS option. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_TSIG_addl
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_tsig_additional
)Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The parsed TSIG reply. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_RRSIG
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, rrsig:dns_rrsig_rr
)Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Rrsig: The parsed RRSIG record.
-
dns_DNSKEY
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, dnskey:dns_dnskey_rr
)Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Dnskey: The parsed DNSKEY record.
-
dns_NSEC
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, next_name:string
, bitmaps:string_vec
)Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Next_name: The parsed next secure domain name. Bitmaps: vector of strings in hex for the bit maps present.
-
dns_NSEC3
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, nsec3:dns_nsec3_rr
)Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Nsec3: The parsed RDATA of Nsec3 record.
-
dns_DS
¶ Type: event
(c:connection
, msg:dns_msg
, ans:dns_answer
, ds:dns_ds_rr
)Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. Ans: The type-independent part of the parsed answer record. Ds: The parsed RDATA of DS record.
-
dns_end
¶ Type: event
(c:connection
, msg:dns_msg
)Generated at the end of processing a DNS packet. This event is the last
dns_*
event that will be raised for a DNS query/reply and signals that all resource records have been passed on.See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
C: The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed. Msg: The parsed DNS message header. See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
Zeek::File¶
Generic file analyzer
Events¶
-
file_transferred
¶ Type: event
(c:connection
, prefix:string
, descr:string
, mime_type:string
)Generated when a TCP connection associated w/ file data transfer is seen (e.g. as happens w/ FTP or IRC).
C: The connection over which file data is transferred. Prefix: Up to 1024 bytes of the file data. Descr: Deprecated/unused argument. Mime_type: MIME type of the file or “<unknown>” if no file magic signatures matched.
Zeek::Finger¶
Finger analyzer
Components¶
Events¶
-
finger_request
¶ Type: event
(c:connection
, full:bool
, username:string
, hostname:string
)Generated for Finger requests.
See Wikipedia for more information about the Finger protocol.
C: The connection. Full: True if verbose information is requested ( /W
switch).Username: The request’s user name. Hostname: The request’s host name. See also:
finger_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
-
finger_reply
¶ Type: event
(c:connection
, reply_line:string
)Generated for Finger replies.
See Wikipedia for more information about the Finger protocol.
C: The connection. Reply_line: The reply as returned by the server See also:
finger_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::FTP¶
FTP analyzer
Types¶
-
ftp_port
¶ Type: A parsed host/port combination describing server endpoint for an upcoming data transfer.
See also:
fmt_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,parse_ftp_pasv
,parse_ftp_port
Events¶
-
ftp_request
¶ Type: event
(c:connection
, command:string
, arg:string
)Generated for client-side FTP commands.
See Wikipedia for more information about the FTP protocol.
C: The connection. Command: The FTP command issued by the client (without any arguments). Arg: The arguments going with the command. See also:
ftp_reply
,fmt_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,parse_ftp_pasv
,parse_ftp_port
-
ftp_reply
¶ Type: event
(c:connection
, code:count
, msg:string
, cont_resp:bool
)Generated for server-side FTP replies.
See Wikipedia for more information about the FTP protocol.
C: The connection. Code: The numerical response code the server responded with. Msg: The textual message of the response. Cont_resp: True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further. See also:
ftp_request
,fmt_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,parse_ftp_pasv
,parse_ftp_port
Functions¶
-
parse_ftp_port
¶ Type: function
(s:string
) :ftp_port
Converts a string representation of the FTP PORT command to an
ftp_port
.S: The string of the FTP PORT command, e.g., "10,0,0,1,4,31"
.Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T]
.See also:
parse_eftp_port
,parse_ftp_pasv
,parse_ftp_epsv
,fmt_ftp_port
-
parse_eftp_port
¶ Type: function
(s:string
) :ftp_port
Converts a string representation of the FTP EPRT command (see RFC 2428) to an
ftp_port
. The format is"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"
, where<d>
is a delimiter in the ASCII range 33-126 (usually|
).S: The string of the FTP EPRT command, e.g., "|1|10.0.0.1|1055|"
.Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T]
.See also:
parse_ftp_port
,parse_ftp_pasv
,parse_ftp_epsv
,fmt_ftp_port
-
parse_ftp_pasv
¶ Type: function
(str:string
) :ftp_port
Converts the result of the FTP PASV command to an
ftp_port
.Str: The string containing the result of the FTP PASV command. Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T]
.See also:
parse_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,fmt_ftp_port
-
parse_ftp_epsv
¶ Type: function
(str:string
) :ftp_port
Converts the result of the FTP EPSV command (see RFC 2428) to an
ftp_port
. The format is"<text> (<d><d><d><tcp-port><d>)"
, where<d>
is a delimiter in the ASCII range 33-126 (usually|
).Str: The string containing the result of the FTP EPSV command. Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T]
.See also:
parse_ftp_port
,parse_eftp_port
,parse_ftp_pasv
,fmt_ftp_port
-
fmt_ftp_port
¶ Type: function
(a:addr
, p:port
) :string
Formats an IP address and TCP port as an FTP PORT command. For example,
10.0.0.1
and1055/tcp
yields"10,0,0,1,4,31"
.A: The IP address. P: The TCP port. Returns: The FTP PORT string. See also:
parse_ftp_port
,parse_eftp_port
,parse_ftp_pasv
,parse_ftp_epsv
Zeek::Gnutella¶
Gnutella analyzer
Components¶
Events¶
-
gnutella_text_msg
¶ Type: event
(c:connection
, orig:bool
, headers:string
)TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_binary_msg
,gnutella_establish
,gnutella_http_notify
,gnutella_not_establish
,gnutella_partial_binary_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
-
gnutella_binary_msg
¶ Type: event
(c:connection
, orig:bool
, msg_type:count
, ttl:count
, hops:count
, msg_len:count
, payload:string
, payload_len:count
, trunc:bool
, complete:bool
)TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_establish
,gnutella_http_notify
,gnutella_not_establish
,gnutella_partial_binary_msg
,gnutella_text_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
-
gnutella_partial_binary_msg
¶ Type: event
(c:connection
, orig:bool
, msg:string
, len:count
)TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_binary_msg
,gnutella_establish
,gnutella_http_notify
,gnutella_not_establish
,gnutella_text_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
-
gnutella_establish
¶ Type: event
(c:connection
)TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_binary_msg
,gnutella_http_notify
,gnutella_not_establish
,gnutella_partial_binary_msg
,gnutella_text_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
-
gnutella_not_establish
¶ Type: event
(c:connection
)TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_binary_msg
,gnutella_establish
,gnutella_http_notify
,gnutella_partial_binary_msg
,gnutella_text_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
-
gnutella_http_notify
¶ Type: event
(c:connection
)TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_binary_msg
,gnutella_establish
,gnutella_not_establish
,gnutella_partial_binary_msg
,gnutella_text_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::GSSAPI¶
GSSAPI analyzer
Components¶
Events¶
-
gssapi_neg_result
¶ Type: event
(c:connection
, state:count
)Generated for GSSAPI negotiation results.
C: The connection. State: The resulting state of the negotiation.
Zeek::GTPv1¶
GTPv1 analyzer
Components¶
Events¶
-
gtpv1_message
¶ Type: event
(c:connection
, hdr:gtpv1_hdr
)Generated for any GTP message with a GTPv1 header.
C: The connection over which the message is sent. Hdr: The GTPv1 header.
-
gtpv1_g_pdu_packet
¶ Type: event
(outer:connection
, inner_gtp:gtpv1_hdr
, inner_ip:pkt_hdr
)Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.
Outer: The GTP outer tunnel connection. Inner_gtp: The GTP header. Inner_ip: The inner IP and transport layer packet headers. Note
Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.
-
gtpv1_create_pdp_ctx_request
¶ Type: event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_create_pdp_ctx_request_elements
)Generated for GTPv1-C Create PDP Context Request messages.
C: The connection over which the message is sent. Hdr: The GTPv1 header. Elements: The set of Information Elements comprising the message.
-
gtpv1_create_pdp_ctx_response
¶ Type: event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_create_pdp_ctx_response_elements
)Generated for GTPv1-C Create PDP Context Response messages.
C: The connection over which the message is sent. Hdr: The GTPv1 header. Elements: The set of Information Elements comprising the message.
-
gtpv1_update_pdp_ctx_request
¶ Type: event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_update_pdp_ctx_request_elements
)Generated for GTPv1-C Update PDP Context Request messages.
C: The connection over which the message is sent. Hdr: The GTPv1 header. Elements: The set of Information Elements comprising the message.
-
gtpv1_update_pdp_ctx_response
¶ Type: event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_update_pdp_ctx_response_elements
)Generated for GTPv1-C Update PDP Context Response messages.
C: The connection over which the message is sent. Hdr: The GTPv1 header. Elements: The set of Information Elements comprising the message.
-
gtpv1_delete_pdp_ctx_request
¶ Type: event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_delete_pdp_ctx_request_elements
)Generated for GTPv1-C Delete PDP Context Request messages.
C: The connection over which the message is sent. Hdr: The GTPv1 header. Elements: The set of Information Elements comprising the message.
-
gtpv1_delete_pdp_ctx_response
¶ Type: event
(c:connection
, hdr:gtpv1_hdr
, elements:gtp_delete_pdp_ctx_response_elements
)Generated for GTPv1-C Delete PDP Context Response messages.
C: The connection over which the message is sent. Hdr: The GTPv1 header. Elements: The set of Information Elements comprising the message.
Zeek::HTTP¶
HTTP analyzer
Components¶
Events¶
-
http_request
¶ Type: event
(c:connection
, method:string
, original_URI:string
, unescaped_URI:string
, version:string
)Generated for HTTP requests. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a request’s initial line has been parsed, and before any
http_header
events are raised.See Wikipedia for more information about the HTTP protocol.
C: The connection. Method: The HTTP method extracted from the request (e.g., GET
,POST
).Original_URI: The unprocessed URI as specified in the request. Unescaped_URI: The URI with all percent-encodings decoded. Version: The version number specified in the request (e.g., 1.1
).See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_stats
,truncate_http_URI
,http_connection_upgrade
-
http_reply
¶ Type: event
(c:connection
, version:string
, code:count
, reason:string
)Generated for HTTP replies. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a reply’s initial line has been parsed, and before any
http_header
events are raised.See Wikipedia for more information about the HTTP protocol.
C: The connection. Version: The version number specified in the reply (e.g., 1.1
).Code: The numerical response code returned by the server. Reason: The textual description returned by the server along with code. See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_request
,http_stats
,http_connection_upgrade
-
http_header
¶ Type: event
(c:connection
, is_orig:bool
, original_name:string
, name:string
, value:string
)Type: event
(c:connection
, is_orig:bool
, name:string
, value:string
)Generated for HTTP headers. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.
See Wikipedia for more information about the HTTP protocol.
C: The connection. Is_orig: True if the header was sent by the originator of the TCP connection. Original_name: The name of the header (unaltered). Name: The name of the header (converted to all uppercase). Value: The value of the header. See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_message_done
,http_reply
,http_request
,http_stats
,http_connection_upgrade
Note
This event is also raised for headers found in nested body entities.
-
http_all_headers
¶ Type: event
(c:connection
, is_orig:bool
, hlist:mime_header_list
)Generated for HTTP headers, passing on all headers of an HTTP message at once. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.
See Wikipedia for more information about the HTTP protocol.
C: The connection. Is_orig: True if the header was sent by the originator of the TCP connection. Hlist: A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.). See also:
http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,http_connection_upgrade
Note
This event is also raised for headers found in nested body entities.
-
http_begin_entity
¶ Type: event
(c:connection
, is_orig:bool
)Generated when starting to parse an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event just before it starts parsing each entity’s content.
See Wikipedia for more information about the HTTP protocol.
C: The connection. Is_orig: True if the entity was sent by the originator of the TCP connection. See also:
http_all_headers
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,mime_begin_entity
,http_connection_upgrade
-
http_end_entity
¶ Type: event
(c:connection
, is_orig:bool
)Generated when finishing parsing an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event at the point when it has finished parsing an entity’s content.
See Wikipedia for more information about the HTTP protocol.
C: The connection. Is_orig: True if the entity was sent by the originator of the TCP connection. See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,mime_end_entity
,http_connection_upgrade
-
http_entity_data
¶ Type: event
(c:connection
, is_orig:bool
, length:count
, data:string
)Generated when parsing an HTTP body entity, passing on the data. This event can potentially be raised many times for each entity, each time passing a chunk of the data of not further defined size.
A common idiom for using this event is to first reassemble the data at the scripting layer by concatenating it to a successively growing string; and only perform further content analysis once the corresponding
http_end_entity
event has been raised. Note, however, that doing so can be quite expensive for HTTP tranders. At the very least, one should impose an upper size limit on how much data is being buffered.See Wikipedia for more information about the HTTP protocol.
C: The connection. Is_orig: True if the entity was sent by the originator of the TCP connection. Length: The length of data. Data: One chunk of raw entity data. See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,mime_entity_data
,http_entity_data_delivery_size
,skip_http_data
,http_connection_upgrade
-
http_content_type
¶ Type: event
(c:connection
, is_orig:bool
, ty:string
, subty:string
)Generated for reporting an HTTP body’s content type. This event is generated at the end of parsing an HTTP header, passing on the MIME type as specified by the
Content-Type
header. If that header is missing, this event is still raised with a default value oftext/plain
.See Wikipedia for more information about the HTTP protocol.
C: The connection. Is_orig: True if the entity was sent by the originator of the TCP connection. Ty: The main type. Subty: The subtype. See also:
http_all_headers
,http_begin_entity
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,http_connection_upgrade
Note
This event is also raised for headers found in nested body entities.
-
http_message_done
¶ Type: event
(c:connection
, is_orig:bool
, stat:http_message_stat
)Generated once at the end of parsing an HTTP message. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. A “message” is one top-level HTTP entity, such as a complete request or reply. Each message can have further nested sub-entities inside. This event is raised once all sub-entities belonging to a top-level message have been processed (and their corresponding
http_entity_*
events generated).See Wikipedia for more information about the HTTP protocol.
C: The connection. Is_orig: True if the entity was sent by the originator of the TCP connection. Stat: Further meta information about the message. See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_reply
,http_request
,http_stats
,http_connection_upgrade
-
http_event
¶ Type: event
(c:connection
, event_type:string
, detail:string
)Generated for errors found when decoding HTTP requests or replies.
See Wikipedia for more information about the HTTP protocol.
C: The connection. Event_type: A string describing the general category of the problem found (e.g., illegal format
).Detail: Further more detailed description of the error. See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,mime_event
,http_connection_upgrade
-
http_stats
¶ Type: event
(c:connection
, stats:http_stats_rec
)Generated at the end of an HTTP session to report statistics about it. This event is raised after all of an HTTP session’s requests and replies have been fully processed.
C: The connection. Stats: Statistics summarizing HTTP-level properties of the finished connection. See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_connection_upgrade
-
http_connection_upgrade
¶ Type: event
(c:connection
, protocol:string
)Generated when a HTTP session is upgraded to a different protocol (e.g. websocket). This event is raised when a server replies with a HTTP 101 reply. No more HTTP events will be raised after this event.
C: The connection. Protocol: The protocol to which the connection is switching. See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
Functions¶
-
skip_http_entity_data
¶ Type: function
(c:connection
, is_orig:bool
) :any
Skips the data of the HTTP entity.
C: The HTTP connection. Is_orig: If true, the client data is skipped, and the server data otherwise. See also:
skip_smtp_data
-
unescape_URI
¶ Type: function
(URI:string
) :string
Unescapes all characters in a URI (decode every
%xx
group).URI: The URI to unescape. Returns: The unescaped URI with all %xx
groups decoded.Note
Unescaping reserved characters may cause loss of information. RFC 2396: A URI is always in an “escaped” form, since escaping or unescaping a completed URI might change its semantics. Normally, the only time escape encodings can safely be made is when the URI is being created from its component parts.
Zeek::ICMP¶
ICMP analyzer
Components¶
Events¶
-
icmp_sent
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
)Type: event
(c:connection
, info:icmp_info
)Type: event
(c:connection
, icmp:icmp_conn
)Generated for all ICMP messages that are not handled separately with dedicated ICMP events. Zeek’s ICMP analyzer handles a number of ICMP messages directly with dedicated events. This event acts as a fallback for those it doesn’t.
See Wikipedia for more information about the ICMP protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. See also:
icmp_error_message
,icmp_sent_payload
-
icmp_sent_payload
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, payload:string
)Type: event
(c:connection
, info:icmp_info
, payload:string
)Type: event
(c:connection
, icmp:icmp_conn
, payload:string
)The same as
icmp_sent
except containing the ICMP payload.C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Payload: The payload of the ICMP message. See also:
icmp_error_message
,icmp_sent_payload
-
icmp_echo_request
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, id:count
, seq:count
, payload:string
)Type: event
(c:connection
, info:icmp_info
, id:count
, seq:count
, payload:string
)Type: event
(c:connection
, icmp:icmp_conn
, id:count
, seq:count
, payload:string
)Generated for ICMP echo request messages.
See Wikipedia for more information about the ICMP protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Id: The echo request identifier. Seq: The echo request sequence number. Payload: The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header. See also:
icmp_echo_reply
-
icmp_echo_reply
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, id:count
, seq:count
, payload:string
)Type: event
(c:connection
, info:icmp_info
, id:count
, seq:count
, payload:string
)Type: event
(c:connection
, icmp:icmp_conn
, id:count
, seq:count
, payload:string
)Generated for ICMP echo reply messages.
See Wikipedia for more information about the ICMP protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Id: The echo reply identifier. Seq: The echo reply sequence number. Payload: The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header. See also:
icmp_echo_request
-
icmp_error_message
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, code:count
, context:icmp_context
)Type: event
(c:connection
, info:icmp_info
, code:count
, context:icmp_context
)Type: event
(c:connection
, icmp:icmp_conn
, code:count
, context:icmp_context
)Generated for all ICMPv6 error messages that are not handled separately with dedicated events. Zeek’s ICMP analyzer handles a number of ICMP error messages directly with dedicated events. This event acts as a fallback for those it doesn’t.
See Wikipedia for more information about the ICMPv6 protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Code: The ICMP code of the error message. Context: A record with specifics of the original packet that the message refers to. See also:
icmp_unreachable
,icmp_packet_too_big
,icmp_time_exceeded
,icmp_parameter_problem
-
icmp_unreachable
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, code:count
, context:icmp_context
)Type: event
(c:connection
, info:icmp_info
, code:count
, context:icmp_context
)Type: event
(c:connection
, icmp:icmp_conn
, code:count
, context:icmp_context
)Generated for ICMP destination unreachable messages.
See Wikipedia for more information about the ICMP protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Code: The ICMP code of the unreachable message. Context: A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the unreachable includes only a partial IP header for some reason, no fields of context will be filled out. See also:
icmp_error_message
,icmp_packet_too_big
,icmp_time_exceeded
,icmp_parameter_problem
-
icmp_packet_too_big
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, code:count
, context:icmp_context
)Type: event
(c:connection
, info:icmp_info
, code:count
, context:icmp_context
)Type: event
(c:connection
, icmp:icmp_conn
, code:count
, context:icmp_context
)Generated for ICMPv6 packet too big messages.
See Wikipedia for more information about the ICMPv6 protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Code: The ICMP code of the too big message. Context: A record with specifics of the original packet that the message refers to. Too big messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the too big includes only a partial IP header for some reason, no fields of context will be filled out. See also:
icmp_error_message
,icmp_unreachable
,icmp_time_exceeded
,icmp_parameter_problem
-
icmp_time_exceeded
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, code:count
, context:icmp_context
)Type: event
(c:connection
, info:icmp_info
, code:count
, context:icmp_context
)Type: event
(c:connection
, icmp:icmp_conn
, code:count
, context:icmp_context
)Generated for ICMP time exceeded messages.
See Wikipedia for more information about the ICMP protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Code: The ICMP code of the exceeded message. Context: A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the exceeded includes only a partial IP header for some reason, no fields of context will be filled out. See also:
icmp_error_message
,icmp_unreachable
,icmp_packet_too_big
,icmp_parameter_problem
-
icmp_parameter_problem
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, code:count
, context:icmp_context
)Type: event
(c:connection
, info:icmp_info
, code:count
, context:icmp_context
)Type: event
(c:connection
, icmp:icmp_conn
, code:count
, context:icmp_context
)Generated for ICMPv6 parameter problem messages.
See Wikipedia for more information about the ICMPv6 protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Code: The ICMP code of the parameter problem message. Context: A record with specifics of the original packet that the message refers to. Parameter problem messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the parameter problem includes only a partial IP header for some reason, no fields of context will be filled out. See also:
icmp_error_message
,icmp_unreachable
,icmp_packet_too_big
,icmp_time_exceeded
-
icmp_router_solicitation
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, options:icmp6_nd_options
)Type: event
(c:connection
, info:icmp_info
, options:icmp6_nd_options
)Type: event
(c:connection
, icmp:icmp_conn
, options:icmp6_nd_options
)Generated for ICMP router solicitation messages.
See Wikipedia for more information about the ICMP protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Options: Any Neighbor Discovery options included with message (RFC 4861). See also:
icmp_router_advertisement
,icmp_neighbor_solicitation
,icmp_neighbor_advertisement
,icmp_redirect
-
icmp_router_advertisement
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, cur_hop_limit:count
, managed:bool
, other:bool
, home_agent:bool
, pref:count
, proxy:bool
, rsv:count
, router_lifetime:interval
, reachable_time:interval
, retrans_timer:interval
, options:icmp6_nd_options
)Type: event
(c:connection
, info:icmp_info
, cur_hop_limit:count
, managed:bool
, other:bool
, home_agent:bool
, pref:count
, proxy:bool
, rsv:count
, router_lifetime:interval
, reachable_time:interval
, retrans_timer:interval
, options:icmp6_nd_options
)Type: event
(c:connection
, icmp:icmp_conn
, cur_hop_limit:count
, managed:bool
, other:bool
, home_agent:bool
, pref:count
, proxy:bool
, rsv:count
, router_lifetime:interval
, reachable_time:interval
, retrans_timer:interval
, options:icmp6_nd_options
)Generated for ICMP router advertisement messages.
See Wikipedia for more information about the ICMP protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Cur_hop_limit: The default value that should be placed in Hop Count field for outgoing IP packets. Managed: Managed address configuration flag, RFC 4861. Other: Other stateful configuration flag, RFC 4861. Home_agent: Mobile IPv6 home agent flag, RFC 3775. Pref: Router selection preferences, RFC 4191. Proxy: Neighbor discovery proxy flag, RFC 4389. Rsv: Remaining two reserved bits of router advertisement flags. Router_lifetime: How long this router should be used as a default router. Reachable_time: How long a neighbor should be considered reachable. Retrans_timer: How long a host should wait before retransmitting. Options: Any Neighbor Discovery options included with message (RFC 4861). See also:
icmp_router_solicitation
,icmp_neighbor_solicitation
,icmp_neighbor_advertisement
,icmp_redirect
-
icmp_neighbor_solicitation
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, tgt:addr
, options:icmp6_nd_options
)Type: event
(c:connection
, info:icmp_info
, tgt:addr
, options:icmp6_nd_options
)Type: event
(c:connection
, icmp:icmp_conn
, tgt:addr
, options:icmp6_nd_options
)Generated for ICMP neighbor solicitation messages.
See Wikipedia for more information about the ICMP protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Tgt: The IP address of the target of the solicitation. Options: Any Neighbor Discovery options included with message (RFC 4861). See also:
icmp_router_solicitation
,icmp_router_advertisement
,icmp_neighbor_advertisement
,icmp_redirect
-
icmp_neighbor_advertisement
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, router:bool
, solicited:bool
, override:bool
, tgt:addr
, options:icmp6_nd_options
)Type: event
(c:connection
, info:icmp_info
, router:bool
, solicited:bool
, override:bool
, tgt:addr
, options:icmp6_nd_options
)Type: event
(c:connection
, icmp:icmp_conn
, router:bool
, solicited:bool
, override:bool
, tgt:addr
, options:icmp6_nd_options
)Generated for ICMP neighbor advertisement messages.
See Wikipedia for more information about the ICMP protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Router: Flag indicating the sender is a router. Solicited: Flag indicating advertisement is in response to a solicitation. Override: Flag indicating advertisement should override existing caches. Tgt: the Target Address in the soliciting message or the address whose link-layer address has changed for unsolicited adverts. Options: Any Neighbor Discovery options included with message (RFC 4861). See also:
icmp_router_solicitation
,icmp_router_advertisement
,icmp_neighbor_solicitation
,icmp_redirect
-
icmp_redirect
¶ Type: event
(c:connection
, icmp:icmp_conn
&deprecated
="Remove in v4.1"
, info:icmp_info
, tgt:addr
, dest:addr
, options:icmp6_nd_options
)Type: event
(c:connection
, info:icmp_info
, tgt:addr
, dest:addr
, options:icmp6_nd_options
)Type: event
(c:connection
, icmp:icmp_conn
, tgt:addr
, dest:addr
, options:icmp6_nd_options
)Generated for ICMP redirect messages.
See Wikipedia for more information about the ICMP protocol.
C: The connection record for the corresponding ICMP flow. Icmp: Additional ICMP-specific information augmenting the standard connection record c. Info: Additional ICMP-specific information augmenting the standard connection record c. Tgt: The address that is supposed to be a better first hop to use for ICMP Destination Address. Dest: The address of the destination which is redirected to the target. Options: Any Neighbor Discovery options included with message (RFC 4861). See also:
icmp_router_solicitation
,icmp_router_advertisement
,icmp_neighbor_solicitation
,icmp_neighbor_advertisement
Zeek::Ident¶
Ident analyzer
Components¶
Events¶
-
ident_request
¶ Type: event
(c:connection
, lport:port
, rport:port
)Generated for Ident requests.
See Wikipedia for more information about the Ident protocol.
C: The connection. Lport: The request’s local port. Rport: The request’s remote port. See also:
ident_error
,ident_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
-
ident_reply
¶ Type: event
(c:connection
, lport:port
, rport:port
, user_id:string
, system:string
)Generated for Ident replies.
See Wikipedia for more information about the Ident protocol.
C: The connection. Lport: The corresponding request’s local port. Rport: The corresponding request’s remote port. User_id: The user id returned by the reply. System: The operating system returned by the reply. See also:
ident_error
,ident_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
-
ident_error
¶ Type: event
(c:connection
, lport:port
, rport:port
, line:string
)Generated for Ident error replies.
See Wikipedia for more information about the Ident protocol.
C: The connection. Lport: The corresponding request’s local port. Rport: The corresponding request’s remote port. Line: The error description returned by the reply. See also:
ident_reply
,ident_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::IMAP¶
IMAP analyzer (StartTLS only)
Components¶
Events¶
-
imap_capabilities
¶ Type: event
(c:connection
, capabilities:string_vec
)Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command.
C: The connection. Capabilities: The list of IMAP capabilities as sent by the server.
-
imap_starttls
¶ Type: event
(c:connection
)Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server.
C: The connection.
Zeek::IRC¶
IRC analyzer
Components¶
Events¶
-
irc_request
¶ Type: event
(c:connection
, is_orig:bool
, prefix:string
, command:string
, arguments:string
)Generated for all client-side IRC commands.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: Always true. Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. Command: The command. Arguments: The arguments for the command. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
Note
This event is generated only for messages that originate at the client-side. Commands coming in from remote trigger the
irc_message
event instead.
-
irc_reply
¶ Type: event
(c:connection
, is_orig:bool
, prefix:string
, code:count
, params:string
)Generated for all IRC replies. IRC replies are sent in response to a request and come with a reply code.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Prefix: The optional prefix coming with the reply. IRC uses the prefix to indicate the true origin of a message. Code: The reply code, as specified by the protocol. Params: The reply’s parameters. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_message
¶ Type: event
(c:connection
, is_orig:bool
, prefix:string
, command:string
, message:string
)Generated for IRC commands forwarded from the server to the client.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: Always false. Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. Command: The command. Message: TODO. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
Note
This event is generated only for messages that are forwarded by the server to the client. Commands coming from client trigger the
irc_request
event instead.
-
irc_quit_message
¶ Type: event
(c:connection
, is_orig:bool
, nick:string
, message:string
)Generated for IRC messages of type quit. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Nick: The nickname coming with the message. Message: The text included with the message. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_privmsg_message
¶ Type: event
(c:connection
, is_orig:bool
, source:string
, target:string
, message:string
)Generated for IRC messages of type privmsg. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Source: The source of the private communication. Target: The target of the private communication. Message: The text of communication. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_notice_message
¶ Type: event
(c:connection
, is_orig:bool
, source:string
, target:string
, message:string
)Generated for IRC messages of type notice. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Source: The source of the private communication. Target: The target of the private communication. Message: The text of communication. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_squery_message
¶ Type: event
(c:connection
, is_orig:bool
, source:string
, target:string
, message:string
)Generated for IRC messages of type squery. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Source: The source of the private communication. Target: The target of the private communication. Message: The text of communication. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_join_message
¶ Type: event
(c:connection
, is_orig:bool
, info_list:irc_join_list
)Generated for IRC messages of type join. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Info_list: The user information coming with the command. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_part_message
¶ Type: event
(c:connection
, is_orig:bool
, nick:string
, chans:string_set
, message:string
)Generated for IRC messages of type part. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Nick: The nickname coming with the message. Chans: The set of channels affected. Message: The text coming with the message. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_password_message
-
irc_nick_message
¶ Type: event
(c:connection
, is_orig:bool
, who:string
, newnick:string
)Generated for IRC messages of type nick. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Who: The user changing its nickname. Newnick: The new nickname. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_invalid_nick
¶ Type: event
(c:connection
, is_orig:bool
)Generated when a server rejects an IRC nickname.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_network_info
¶ Type: event
(c:connection
, is_orig:bool
, users:count
, services:count
, servers:count
)Generated for an IRC reply of type luserclient.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Users: The number of users as returned in the reply. Services: The number of services as returned in the reply. Servers: The number of servers as returned in the reply. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_server_info
¶ Type: event
(c:connection
, is_orig:bool
, users:count
, services:count
, servers:count
)Generated for an IRC reply of type luserme.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Users: The number of users as returned in the reply. Services: The number of services as returned in the reply. Servers: The number of servers as returned in the reply. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_channel_info
¶ Type: event
(c:connection
, is_orig:bool
, chans:count
)Generated for an IRC reply of type luserchannels.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Chans: The number of channels as returned in the reply. See also:
irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_who_line
¶ Type: event
(c:connection
, is_orig:bool
, target_nick:string
, channel:string
, user:string
, host:string
, server:string
, nick:string
, params:string
, hops:count
, real_name:string
)Generated for an IRC reply of type whoreply.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Target_nick: The target nickname. Channel: The channel. User: The user. Host: The host. Server: The server. Nick: The nickname. Params: The parameters. Hops: The hop count. Real_name: The real name. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_names_info
¶ Type: event
(c:connection
, is_orig:bool
, c_type:string
, channel:string
, users:string_set
)Generated for an IRC reply of type namereply.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. C_type: The channel type. Channel: The channel. Users: The set of users. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_whois_operator_line
¶ Type: event
(c:connection
, is_orig:bool
, nick:string
)Generated for an IRC reply of type whoisoperator.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Nick: The nickname specified in the reply. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_whois_channel_line
¶ Type: event
(c:connection
, is_orig:bool
, nick:string
, chans:string_set
)Generated for an IRC reply of type whoischannels.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Nick: The nickname specified in the reply. Chans: The set of channels returned. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_whois_user_line
¶ Type: event
(c:connection
, is_orig:bool
, nick:string
, user:string
, host:string
, real_name:string
)Generated for an IRC reply of type whoisuser.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Nick: The nickname specified in the reply. User: The user name specified in the reply. Host: The host name specified in the reply. Real_name: The real name specified in the reply. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_oper_response
¶ Type: event
(c:connection
, is_orig:bool
, got_oper:bool
)Generated for IRC replies of type youreoper and nooperhost.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Got_oper: True if the oper command was executed successfully (youreport) and false otherwise (nooperhost). See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_part_message
,irc_password_message
-
irc_global_users
¶ Type: event
(c:connection
, is_orig:bool
, prefix:string
, msg:string
)Generated for an IRC reply of type globalusers.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. Msg: The message coming with the reply. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_channel_topic
¶ Type: event
(c:connection
, is_orig:bool
, channel:string
, topic:string
)Generated for an IRC reply of type topic.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Channel: The channel name specified in the reply. Topic: The topic specified in the reply. See also:
irc_channel_info
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_who_message
¶ Type: event
(c:connection
, is_orig:bool
, mask:string
, oper:bool
)Generated for IRC messages of type who. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Mask: The mask specified in the message. Oper: True if the operator flag was set. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_whois_message
¶ Type: event
(c:connection
, is_orig:bool
, server:string
, users:string
)Generated for IRC messages of type whois. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Server: TODO. Users: TODO. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_oper_message
¶ Type: event
(c:connection
, is_orig:bool
, user:string
, password:string
)Generated for IRC messages of type oper. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. User: The user specified in the message. Password: The password specified in the message. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_kick_message
¶ Type: event
(c:connection
, is_orig:bool
, prefix:string
, chans:string
, users:string
, comment:string
)Generated for IRC messages of type kick. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. Chans: The channels specified in the message. Users: The users specified in the message. Comment: The comment specified in the message. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_error_message
¶ Type: event
(c:connection
, is_orig:bool
, prefix:string
, message:string
)Generated for IRC messages of type error. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. Message: The textual description specified in the message. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_invite_message
¶ Type: event
(c:connection
, is_orig:bool
, prefix:string
, nickname:string
, channel:string
)Generated for IRC messages of type invite. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. Nickname: The nickname specified in the message. Channel: The channel specified in the message. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_mode_message
¶ Type: event
(c:connection
, is_orig:bool
, prefix:string
, params:string
)Generated for IRC messages of type mode. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. Params: The parameters coming with the message. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_squit_message
¶ Type: event
(c:connection
, is_orig:bool
, prefix:string
, server:string
, message:string
)Generated for IRC messages of type squit. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. Server: The server specified in the message. Message: The textual description specified in the message. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_dcc_message
¶ Type: event
(c:connection
, is_orig:bool
, prefix:string
, target:string
, dcc_type:string
, argument:string
, address:addr
, dest_port:count
, size:count
)Generated for IRC messages of type dcc. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Prefix: The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message. Target: The target specified in the message. Dcc_type: The DCC type specified in the message. Argument: The argument specified in the message. Address: The address specified in the message. Dest_port: The destination port specified in the message. Size: The size specified in the message. See also:
irc_channel_info
,irc_channel_topic
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_user_message
¶ Type: event
(c:connection
, is_orig:bool
, user:string
, host:string
, server:string
, real_name:string
)Generated for IRC messages of type user. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. User: The user specified in the message. Host: The host name specified in the message. Server: The server name specified in the message. Real_name: The real name specified in the message. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
-
irc_password_message
¶ Type: event
(c:connection
, is_orig:bool
, password:string
)Generated for IRC messages of type password. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
C: The connection. Is_orig: True if the command was sent by the originator of the TCP connection. Password: The password specified in the message. See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
-
irc_starttls
¶ Type: event
(c:connection
)Generated if an IRC connection switched to TLS using STARTTLS. After this event no more IRC events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.
C: The connection.
Zeek::KRB¶
Kerberos analyzer
Options/Constants¶
Types¶
-
KRB::Error_Msg
¶ Type: - pvno:
count
&optional
Protocol version number (5 for KRB5)
- msg_type:
count
&optional
The message type (30 for ERROR_MSG)
- client_time:
time
&optional
Current time on the client
- server_time:
time
&optional
Current time on the server
- error_code:
count
The specific error code
- client_realm:
string
&optional
Realm of the ticket
- client_name:
string
&optional
Name on the ticket
- service_realm:
string
&optional
Realm of the service
- service_name:
string
&optional
Name of the service
- error_text:
string
&optional
Additional text to explain the error
- pa_data:
vector
ofKRB::Type_Value
&optional
Optional pre-authentication data
The data from the ERROR_MSG message. See RFC 4120.
- pvno:
-
KRB::SAFE_Msg
¶ Type: - pvno:
count
Protocol version number (5 for KRB5)
- msg_type:
count
The message type (20 for SAFE_MSG)
- data:
string
The application-specific data that is being passed from the sender to the reciever
- timestamp:
time
&optional
Current time from the sender of the message
- seq:
count
&optional
Sequence number used to detect replays
- sender:
KRB::Host_Address
&optional
Sender address
- recipient:
KRB::Host_Address
&optional
Recipient address
The data from the SAFE message. See RFC 4120.
- pvno:
-
KRB::KDC_Options
¶ Type: - forwardable:
bool
The ticket to be issued should have its forwardable flag set.
- forwarded:
bool
A (TGT) request for forwarding.
- proxiable:
bool
The ticket to be issued should have its proxiable flag set.
- proxy:
bool
A request for a proxy.
- allow_postdate:
bool
The ticket to be issued should have its may-postdate flag set.
- postdated:
bool
A request for a postdated ticket.
- renewable:
bool
The ticket to be issued should have its renewable flag set.
- opt_hardware_auth:
bool
Reserved for opt_hardware_auth
- disable_transited_check:
bool
Request that the KDC not check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT.
- renewable_ok:
bool
If a ticket with the requested lifetime cannot be issued, a renewable ticket is acceptable
- enc_tkt_in_skey:
bool
The ticket for the end server is to be encrypted in the session key from the additional TGT provided
- renew:
bool
The request is for a renewal
- validate:
bool
The request is to validate a postdated ticket.
KDC Options. See RFC 4120
- forwardable:
-
KRB::Type_Value
¶ Type: Used in a few places in the Kerberos analyzer for elements that have a type and a string value.
-
KRB::Ticket_Vector
¶ Type: vector
ofKRB::Ticket
-
KRB::KDC_Request
¶ Type: - pvno:
count
Protocol version number (5 for KRB5)
- msg_type:
count
The message type (10 for AS_REQ, 12 for TGS_REQ)
- pa_data:
vector
ofKRB::Type_Value
&optional
Optional pre-authentication data
- kdc_options:
KRB::KDC_Options
&optional
Options specified in the request
- client_name:
string
&optional
Name on the ticket
- service_realm:
string
&optional
Realm of the service
- service_name:
string
&optional
Name of the service
- from:
time
&optional
Time the ticket is good from
- till:
time
&optional
Time the ticket is good till
- rtime:
time
&optional
The requested renew-till time
- nonce:
count
&optional
A random nonce generated by the client
- encryption_types:
vector
ofcount
&optional
The desired encryption algorithms, in order of preference
- host_addrs:
vector
ofKRB::Host_Address
&optional
Any additional addresses the ticket should be valid for
- additional_tickets:
vector
ofKRB::Ticket
&optional
Additional tickets may be included for certain transactions
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
- pvno: