base/bif/plugins/Zeek_DNP3.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

dnp3_analog_input_16wFlag: event

Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag

dnp3_analog_input_16woFlag: event

Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag

dnp3_analog_input_32wFlag: event

Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag

dnp3_analog_input_32woFlag: event

Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag

dnp3_analog_input_DPwFlag: event

Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag

dnp3_analog_input_SPwFlag: event

Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag

dnp3_analog_input_event_16wTime: event

Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time

dnp3_analog_input_event_16woTime: event

Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time

dnp3_analog_input_event_32wTime: event

Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time

dnp3_analog_input_event_32woTime: event

Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time

dnp3_analog_input_event_DPwTime: event

Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precision float point with time

dnp3_analog_input_event_DPwoTime: event

Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time

dnp3_analog_input_event_SPwTime: event

Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time

dnp3_analog_input_event_SPwoTime: event

Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time

dnp3_application_request_header: event

Generated for a DNP3 request header.

dnp3_application_response_header: event

Generated for a DNP3 response header.

dnp3_attribute_common: event

Generated for DNP3 attributes.

dnp3_counter_16wFlag: event

Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag

dnp3_counter_16woFlag: event

Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag

dnp3_counter_32wFlag: event

Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag

dnp3_counter_32woFlag: event

Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag

dnp3_crob: event

Generated for DNP3 objects with the group number 12 and variation number 1 CROB: control relay output block

dnp3_debug_byte: event

Debugging event generated by the DNP3 analyzer.

dnp3_file_transport: event

g70

dnp3_frozen_analog_input_16wFlag: event

Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag

dnp3_frozen_analog_input_16wTime: event

Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze

dnp3_frozen_analog_input_16woFlag: event

Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag

dnp3_frozen_analog_input_32wFlag: event

Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag

dnp3_frozen_analog_input_32wTime: event

Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze

dnp3_frozen_analog_input_32woFlag: event

Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag

dnp3_frozen_analog_input_DPwFlag: event

Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag

dnp3_frozen_analog_input_SPwFlag: event

Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag

dnp3_frozen_analog_input_event_16wTime: event

Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time

dnp3_frozen_analog_input_event_16woTime: event

Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time

dnp3_frozen_analog_input_event_32wTime: event

Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time

dnp3_frozen_analog_input_event_32woTime: event

Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time

dnp3_frozen_analog_input_event_DPwTime: event

Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time

dnp3_frozen_analog_input_event_DPwoTime: event

Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time

dnp3_frozen_analog_input_event_SPwTime: event

Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time

dnp3_frozen_analog_input_event_SPwoTime: event

Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time

dnp3_frozen_counter_16wFlag: event

Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag

dnp3_frozen_counter_16wFlagTime: event

Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time

dnp3_frozen_counter_16woFlag: event

Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag

dnp3_frozen_counter_32wFlag: event

Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag

dnp3_frozen_counter_32wFlagTime: event

Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time

dnp3_frozen_counter_32woFlag: event

Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag

dnp3_header_block: event

Generated for an additional header that the DNP3 analyzer passes to the script-level.

dnp3_object_header: event

Generated for the object header found in both DNP3 requests and responses.

dnp3_object_prefix: event

Generated for the prefix before a DNP3 object.

dnp3_pcb: event

Generated for DNP3 objects with the group number 12 and variation number 2 PCB: Pattern Control Block

dnp3_response_data_object: event

Generated for a DNP3 “Response_Data_Object”.

Detailed Interface

Events

dnp3_analog_input_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag

dnp3_analog_input_16woFlag
Type

event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag

dnp3_analog_input_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag

dnp3_analog_input_32woFlag
Type

event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag

dnp3_analog_input_DPwFlag
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag

dnp3_analog_input_SPwFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag

dnp3_analog_input_event_16wTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time

dnp3_analog_input_event_16woTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time

dnp3_analog_input_event_32wTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time

dnp3_analog_input_event_32woTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time

dnp3_analog_input_event_DPwTime
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precision float point with time

dnp3_analog_input_event_DPwoTime
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time

dnp3_analog_input_event_SPwTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time

dnp3_analog_input_event_SPwoTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time

dnp3_application_request_header
Type

event (c: connection, is_orig: bool, application: count, fc: count)

Generated for a DNP3 request header.

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • fc – function code.

dnp3_application_response_header
Type

event (c: connection, is_orig: bool, application: count, fc: count, iin: count)

Generated for a DNP3 response header.

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • fc – function code.

  • iin – internal indication number.

dnp3_attribute_common
Type

event (c: connection, is_orig: bool, data_type_code: count, leng: count, attribute_obj: string)

Generated for DNP3 attributes.

dnp3_counter_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag

dnp3_counter_16woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag

dnp3_counter_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag

dnp3_counter_32woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag

dnp3_crob
Type

event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 1

Parameters

CROB – control relay output block

dnp3_debug_byte
Type

event (c: connection, is_orig: bool, debug: string)

Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.

dnp3_file_transport
Type

event (c: connection, is_orig: bool, file_handle: count, block_num: count, file_data: string)

g70

dnp3_frozen_analog_input_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag

dnp3_frozen_analog_input_16wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze

dnp3_frozen_analog_input_16woFlag
Type

event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag

dnp3_frozen_analog_input_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag

dnp3_frozen_analog_input_32wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze

dnp3_frozen_analog_input_32woFlag
Type

event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag

dnp3_frozen_analog_input_DPwFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag

dnp3_frozen_analog_input_SPwFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag

dnp3_frozen_analog_input_event_16wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time

dnp3_frozen_analog_input_event_16woTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time

dnp3_frozen_analog_input_event_32wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time

dnp3_frozen_analog_input_event_32woTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time

dnp3_frozen_analog_input_event_DPwTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count)

Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time

dnp3_frozen_analog_input_event_DPwoTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time

dnp3_frozen_analog_input_event_SPwTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time

dnp3_frozen_analog_input_event_SPwoTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time

dnp3_frozen_counter_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag

dnp3_frozen_counter_16wFlagTime
Type

event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time

dnp3_frozen_counter_16woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag

dnp3_frozen_counter_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag

dnp3_frozen_counter_32wFlagTime
Type

event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time

dnp3_frozen_counter_32woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag

dnp3_header_block
Type

event (c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count)

Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • len – the “length” field in the DNP3 Pseudo Link Layer.

  • ctrl – the “control” field in the DNP3 Pseudo Link Layer.

  • dest_addr – the “destination” field in the DNP3 Pseudo Link Layer.

  • src_addr – the “source” field in the DNP3 Pseudo Link Layer.

dnp3_object_header
Type

event (c: connection, is_orig: bool, obj_type: count, qua_field: count, number: count, rf_low: count, rf_high: count)

Generated for the object header found in both DNP3 requests and responses.

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • obj_type – type of object, which is classified based on an 8-bit group number and an 8-bit variation number.

  • qua_field – qualifier field.

  • number – TODO.

  • rf_low – the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values.

  • rf_high – in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index.

dnp3_object_prefix
Type

event (c: connection, is_orig: bool, prefix_value: count)

Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • prefix_value – The prefix.

dnp3_pcb
Type

event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 2

Parameters

PCB – Pattern Control Block

dnp3_response_data_object
Type

event (c: connection, is_orig: bool, data_value: count)

Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16_t, or int8_t; thus we use an additional data_value to record the values of those object data.

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • data_value – The value for those objects that carry their information here directly.