base/bif/plugins/Zeek_NetBIOS.events.bif.zeek
- GLOBAL
- Namespace
GLOBAL
Summary
Events
Generated for NetBIOS messages of type positive session response. |
|
Generated for NetBIOS messages of type keep-alive. |
|
Generated for all NetBIOS SSN and DGM messages. |
|
Generated for NetBIOS messages of type session message that are not carrying an SMB payload. |
|
Generated for NetBIOS messages of type negative session response. |
|
Generated for NetBIOS messages of type session request. |
|
Generated for NetBIOS messages of type retarget response. |
Detailed Interface
Events
- netbios_session_accepted
- Type
event
(c:connection
, msg:string
)
Generated for NetBIOS messages of type positive session response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
msg – The raw payload of the message sent, excluding the common NetBIOS header.
See also:
netbios_session_keepalive
,netbios_session_message
,netbios_session_raw_message
,netbios_session_rejected
,netbios_session_request
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_keepalive
- Type
event
(c:connection
, msg:string
)
Generated for NetBIOS messages of type keep-alive. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
msg – The raw payload of the message sent, excluding the common NetBIOS header.
See also:
netbios_session_accepted
,netbios_session_message
,netbios_session_raw_message
,netbios_session_rejected
,netbios_session_request
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_message
- Type
event
(c:connection
, is_orig:bool
, msg_type:count
, data_len:count
)
Generated for all NetBIOS SSN and DGM messages. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
is_orig – True if the message was sent by the originator of the connection.
msg_type – The general type of message, as defined in Section 4.3.1 of RFC 1002.
data_len – The length of the message’s payload.
See also:
netbios_session_accepted
,netbios_session_keepalive
,netbios_session_raw_message
,netbios_session_rejected
,netbios_session_request
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_raw_message
- Type
event
(c:connection
, is_orig:bool
, msg:string
)
Generated for NetBIOS messages of type session message that are not carrying an SMB payload.
NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
is_orig – True if the message was sent by the originator of the connection.
msg – The raw payload of the message sent, excluding the common NetBIOS header (i.e., the
user_data
).
See also:
netbios_session_accepted
,netbios_session_keepalive
,netbios_session_message
,netbios_session_rejected
,netbios_session_request
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
This is an oddly named event. In fact, it’s probably an odd event to have to begin with.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_rejected
- Type
event
(c:connection
, msg:string
)
Generated for NetBIOS messages of type negative session response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
msg – The raw payload of the message sent, excluding the common NetBIOS header.
See also:
netbios_session_accepted
,netbios_session_keepalive
,netbios_session_message
,netbios_session_raw_message
,netbios_session_request
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_request
- Type
event
(c:connection
, msg:string
)
Generated for NetBIOS messages of type session request. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
msg – The raw payload of the message sent, excluding the common NetBIOS header.
See also:
netbios_session_accepted
,netbios_session_keepalive
,netbios_session_message
,netbios_session_raw_message
,netbios_session_rejected
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_ret_arg_resp
- Type
event
(c:connection
, msg:string
)
Generated for NetBIOS messages of type retarget response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
msg – The raw payload of the message sent, excluding the common NetBIOS header.
See also:
netbios_session_accepted
,netbios_session_keepalive
,netbios_session_message
,netbios_session_raw_message
,netbios_session_rejected
,netbios_session_request
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
This is an oddly named event.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.