base/bif/plugins/Zeek_MIME.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

mime_all_data: event

Generated for passing on all data decoded from a single email MIME message.

mime_all_headers: event

Generated for MIME headers extracted from email MIME entities, passing all headers at once.

mime_begin_entity: event

Generated when starting to parse an email MIME entity.

mime_content_hash: event

Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums.

mime_end_entity: event

Generated when finishing parsing an email MIME entity.

mime_entity_data: event

Generated for data decoded from an email MIME entity.

mime_event: event

Generated for errors found when decoding email MIME entities.

mime_one_header: event

Generated for individual MIME headers extracted from email MIME entities.

mime_segment_data: event

Generated for chunks of decoded MIME data from email MIME entities.

Detailed Interface

Events

mime_all_data
Type

event (c: connection, length: count, data: string)

Generated for passing on all data decoded from a single email MIME message. If an email message has more than one MIME entity, this event combines all their data into a single value for analysis. Note that because of the potentially significant buffering necessary, using this event can be expensive.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

Parameters

  • c – The connection.

  • length – The length of data.

  • data – The raw data of all MIME entities concatenated.

See also: mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_one_header, mime_segment_data

Note

While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_all_headers
Type

event (c: connection, hlist: mime_header_list)

Generated for MIME headers extracted from email MIME entities, passing all headers at once. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

Parameters

  • c – The connection.

  • hlist – A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).

See also: mime_all_data, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_one_header, mime_segment_data, http_header, http_all_headers

Note

Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises http_header instead.

mime_begin_entity
Type

event (c: connection)

Generated when starting to parse an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Zeek raises this event when it begins parsing a MIME entity extracted from an email protocol.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

Parameters

c – The connection.

See also: mime_all_data, mime_all_headers, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_one_header, mime_segment_data, smtp_data, http_begin_entity

Note

Zeek also extracts MIME entities from HTTP sessions. For those, however, it raises http_begin_entity instead.

mime_content_hash
Type

event (c: connection, content_len: count, hash_value: string)

Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums. Zeek computes the MD5 over the complete decoded data of each MIME entity.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

Parameters

  • c – The connection.

  • content_len – The length of the entity being hashed.

  • hash_value – The MD5 hash.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_end_entity, mime_entity_data, mime_event, mime_one_header, mime_segment_data

Note

While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_end_entity
Type

event (c: connection)

Generated when finishing parsing an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Zeek raises this event when it finished parsing a MIME entity extracted from an email protocol.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

Parameters

c – The connection.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_entity_data, mime_event, mime_one_header, mime_segment_data, smtp_data, http_end_entity

Note

Zeek also extracts MIME entities from HTTP sessions. For those, however, it raises http_end_entity instead.

mime_entity_data
Type

event (c: connection, length: count, data: string)

Generated for data decoded from an email MIME entity. This event delivers the complete content of a single MIME entity with the quoted-printable and and base64 data decoded. In contrast, there is also mime_segment_data, which passes on a sequence of data chunks as they come in. While mime_entity_data is more convenient to handle, mime_segment_data is more efficient as Zeek does not need to buffer the data. Thus, if possible, the latter should be preferred.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

Parameters

  • c – The connection.

  • length – The length of data.

  • data – The raw data of the complete entity.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_event, mime_one_header, mime_segment_data

Note

While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_event
Type

event (c: connection, event_type: string, detail: string)

Generated for errors found when decoding email MIME entities.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

Parameters

  • c – The connection.

  • event_type – A string describing the general category of the problem found (e.g., illegal format).

  • detail – Further more detailed description of the error.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_one_header, mime_segment_data, http_event

Note

Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises http_event instead.

mime_one_header
Type

event (c: connection, h: mime_header_rec)

Generated for individual MIME headers extracted from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

Parameters

  • c – The connection.

  • h – The parsed MIME header.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_segment_data, http_header, http_all_headers

Note

Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises http_header instead.

mime_segment_data
Type

event (c: connection, length: count, data: string)

Generated for chunks of decoded MIME data from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. As Zeek parses the data of an entity, it raises a sequence of these events, each coming as soon as a new chunk of data is available. In contrast, there is also mime_entity_data, which passes all of an entities data at once in a single block. While the latter is more convenient to handle, mime_segment_data is more efficient as Zeek does not need to buffer the data. Thus, if possible, this event should be preferred.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

Parameters

  • c – The connection.

  • length – The length of data.

  • data – The raw data of one segment of the current entity.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_one_header, http_entity_data, mime_segment_length, mime_segment_overlap_length

Note

Zeek also extracts MIME data from HTTP sessions. For those, however, it raises http_entity_data (sic!) instead.