base/bif/plugins/Zeek_POP3.events.bif.zeek
- GLOBAL
- Namespace
GLOBAL
Summary
Events
Generated for server-side multi-line responses on POP3 connections. |
|
Generated for unsuccessful authentications on POP3 connections. |
|
Generated for successful authentications on POP3 connections. |
|
Generated for server-side replies to commands on POP3 connections. |
|
Generated for client-side commands on POP3 connections. |
|
Generated when a POP3 connection goes encrypted. |
|
Generated for errors encountered on POP3 sessions. |
Detailed Interface
Events
- pop3_data
- Type
event
(c:connection
, is_orig:bool
, data:string
)
Generated for server-side multi-line responses on POP3 connections. POP3 connections use multi-line responses to send bulk data, such as the actual mails. This event is generated once for each line that’s part of such a response.
See Wikipedia for more information about the POP3 protocol.
- Parameters
c – The connection.
is_orig – True if the data was sent by the originator of the TCP connection.
data – The data sent.
See also:
pop3_login_failure
,pop3_login_success
,pop3_reply
,pop3_request
,pop3_unexpected
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_login_failure
- Type
event
(c:connection
, is_orig:bool
, user:string
, password:string
)
Generated for unsuccessful authentications on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
- Parameters
c – The connection.
is_orig – Always false.
user – The user name attempted for authentication. The event is only generated if a non-empty user name was used.
password – The password attempted for authentication.
See also:
pop3_data
,pop3_login_success
,pop3_reply
,pop3_request
,pop3_unexpected
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_login_success
- Type
event
(c:connection
, is_orig:bool
, user:string
, password:string
)
Generated for successful authentications on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
- Parameters
c – The connection.
is_orig – Always false.
user – The user name used for authentication. The event is only generated if a non-empty user name was used.
password – The password used for authentication.
See also:
pop3_data
,pop3_login_failure
,pop3_reply
,pop3_request
,pop3_unexpected
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_reply
- Type
event
(c:connection
, is_orig:bool
, cmd:string
, msg:string
)
Generated for server-side replies to commands on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
- Parameters
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
cmd – The success indicator sent by the server. This corresponds to the first token on the line sent, and should be either
OK
orERR
.msg – The textual description the server sent along with cmd.
See also:
pop3_data
,pop3_login_failure
,pop3_login_success
,pop3_request
,pop3_unexpected
Todo
This event is receiving odd parameters, should unify.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_request
- Type
event
(c:connection
, is_orig:bool
, command:string
, arg:string
)
Generated for client-side commands on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
- Parameters
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
command – The command sent.
arg – The argument to the command.
See also:
pop3_data
,pop3_login_failure
,pop3_login_success
,pop3_reply
,pop3_unexpected
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_starttls
- Type
event
(c:connection
)
Generated when a POP3 connection goes encrypted. While POP3 is by default a clear-text protocol, extensions exist to switch to encryption. This event is generated if that happens and the analyzer then stops processing the connection.
See Wikipedia for more information about the POP3 protocol.
- Parameters
c – The connection.
See also:
pop3_data
,pop3_login_failure
,pop3_login_success
,pop3_reply
,pop3_request
,pop3_unexpected
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_unexpected
- Type
event
(c:connection
, is_orig:bool
, msg:string
, detail:string
)
Generated for errors encountered on POP3 sessions. If the POP3 analyzer finds state transitions that do not conform to the protocol specification, or other situations it can’t handle, it raises this event.
See Wikipedia for more information about the POP3 protocol.
- Parameters
c – The connection.
is_orig – True if the data was sent by the originator of the TCP connection.
msg – A textual description of the situation.
detail – The input that triggered the event.
See also:
pop3_data
,pop3_login_failure
,pop3_login_success
,pop3_reply
,pop3_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.