Protocol Analyzers
- Analyzer::Tag
- Type:
-
- Analyzer::ANALYZER_BITTORRENT
- Analyzer::ANALYZER_BITTORRENTTRACKER
- Analyzer::ANALYZER_CONNSIZE
- Analyzer::ANALYZER_DCE_RPC
- Analyzer::ANALYZER_DHCP
- Analyzer::ANALYZER_DNP3_TCP
- Analyzer::ANALYZER_DNP3_UDP
- Analyzer::ANALYZER_CONTENTS_DNS
- Analyzer::ANALYZER_DNS
- Analyzer::ANALYZER_FTP_DATA
- Analyzer::ANALYZER_FTP
- Analyzer::ANALYZER_FTP_ADAT
- Analyzer::ANALYZER_GNUTELLA
- Analyzer::ANALYZER_GSSAPI
- Analyzer::ANALYZER_HTTP
- Analyzer::ANALYZER_ICMP
- Analyzer::ANALYZER_IDENT
- Analyzer::ANALYZER_IMAP
- Analyzer::ANALYZER_IRC
- Analyzer::ANALYZER_IRC_DATA
- Analyzer::ANALYZER_KRB
- Analyzer::ANALYZER_KRB_TCP
- Analyzer::ANALYZER_CONTENTS_RLOGIN
- Analyzer::ANALYZER_CONTENTS_RSH
- Analyzer::ANALYZER_LOGIN
- Analyzer::ANALYZER_NVT
- Analyzer::ANALYZER_RLOGIN
- Analyzer::ANALYZER_RSH
- Analyzer::ANALYZER_TELNET
- Analyzer::ANALYZER_MODBUS
- Analyzer::ANALYZER_MQTT
- Analyzer::ANALYZER_MYSQL
- Analyzer::ANALYZER_CONTENTS_NCP
- Analyzer::ANALYZER_NCP
- Analyzer::ANALYZER_CONTENTS_NETBIOSSSN
- Analyzer::ANALYZER_NETBIOSSSN
- Analyzer::ANALYZER_NTLM
- Analyzer::ANALYZER_NTP
- Analyzer::ANALYZER_PIA_TCP
- Analyzer::ANALYZER_PIA_UDP
- Analyzer::ANALYZER_POP3
- Analyzer::ANALYZER_RADIUS
- Analyzer::ANALYZER_RDP
- Analyzer::ANALYZER_RDPEUDP
- Analyzer::ANALYZER_RFB
- Analyzer::ANALYZER_CONTENTS_NFS
- Analyzer::ANALYZER_CONTENTS_RPC
- Analyzer::ANALYZER_MOUNT
- Analyzer::ANALYZER_NFS
- Analyzer::ANALYZER_PORTMAPPER
- Analyzer::ANALYZER_SIP
- Analyzer::ANALYZER_CONTENTS_SMB
- Analyzer::ANALYZER_SMB
- Analyzer::ANALYZER_SMTP
- Analyzer::ANALYZER_SMTP_BDAT
- Analyzer::ANALYZER_SNMP
- Analyzer::ANALYZER_SOCKS
- Analyzer::ANALYZER_FINGER
- Analyzer::ANALYZER_LDAP_TCP
- Analyzer::ANALYZER_LDAP_UDP
- Analyzer::ANALYZER_POSTGRESQL
- Analyzer::ANALYZER_QUIC
- Analyzer::ANALYZER_SYSLOG
- Analyzer::ANALYZER_SPICY_WEBSOCKET
- Analyzer::ANALYZER_SSH
- Analyzer::ANALYZER_DTLS
- Analyzer::ANALYZER_SSL
- Analyzer::ANALYZER_STREAM_EVENT
- Analyzer::ANALYZER_CONTENTLINE
- Analyzer::ANALYZER_CONTENTS
- Analyzer::ANALYZER_TCPSTATS
- Analyzer::ANALYZER_TCP
- Analyzer::ANALYZER_UDP
- Analyzer::ANALYZER_UNKNOWN_IP_TRANSPORT
- Analyzer::ANALYZER_WEBSOCKET
- Analyzer::ANALYZER_XMPP
- Analyzer::ANALYZER_ZIP
- AllAnalyzers::Tag
- Type:
-
- AllAnalyzers::PACKETANALYZER_ANALYZER_ARP
- AllAnalyzers::PACKETANALYZER_ANALYZER_AYIYA
- AllAnalyzers::ANALYZER_ANALYZER_BITTORRENT
- AllAnalyzers::ANALYZER_ANALYZER_BITTORRENTTRACKER
- AllAnalyzers::ANALYZER_ANALYZER_CONNSIZE
- AllAnalyzers::ANALYZER_ANALYZER_DCE_RPC
- AllAnalyzers::ANALYZER_ANALYZER_DHCP
- AllAnalyzers::ANALYZER_ANALYZER_DNP3_TCP
- AllAnalyzers::ANALYZER_ANALYZER_DNP3_UDP
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_DNS
- AllAnalyzers::ANALYZER_ANALYZER_DNS
- AllAnalyzers::PACKETANALYZER_ANALYZER_ETHERNET
- AllAnalyzers::PACKETANALYZER_ANALYZER_FDDI
- AllAnalyzers::ANALYZER_ANALYZER_FTP_DATA
- AllAnalyzers::FILES_ANALYZER_DATA_EVENT
- AllAnalyzers::FILES_ANALYZER_ENTROPY
- AllAnalyzers::FILES_ANALYZER_EXTRACT
- AllAnalyzers::FILES_ANALYZER_MD5
- AllAnalyzers::FILES_ANALYZER_SHA1
- AllAnalyzers::FILES_ANALYZER_SHA256
- AllAnalyzers::ANALYZER_ANALYZER_FTP
- AllAnalyzers::ANALYZER_ANALYZER_FTP_ADAT
- AllAnalyzers::PACKETANALYZER_ANALYZER_GENEVE
- AllAnalyzers::ANALYZER_ANALYZER_GNUTELLA
- AllAnalyzers::PACKETANALYZER_ANALYZER_GRE
- AllAnalyzers::ANALYZER_ANALYZER_GSSAPI
- AllAnalyzers::PACKETANALYZER_ANALYZER_GTPV1
- AllAnalyzers::ANALYZER_ANALYZER_HTTP
- AllAnalyzers::PACKETANALYZER_ANALYZER_ICMP
- AllAnalyzers::ANALYZER_ANALYZER_ICMP
- AllAnalyzers::ANALYZER_ANALYZER_IDENT
- AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11
- AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11_RADIO
- AllAnalyzers::ANALYZER_ANALYZER_IMAP
- AllAnalyzers::PACKETANALYZER_ANALYZER_IP
- AllAnalyzers::PACKETANALYZER_ANALYZER_IPTUNNEL
- AllAnalyzers::ANALYZER_ANALYZER_IRC
- AllAnalyzers::ANALYZER_ANALYZER_IRC_DATA
- AllAnalyzers::ANALYZER_ANALYZER_KRB
- AllAnalyzers::ANALYZER_ANALYZER_KRB_TCP
- AllAnalyzers::PACKETANALYZER_ANALYZER_LINUXSLL
- AllAnalyzers::PACKETANALYZER_ANALYZER_LINUXSLL2
- AllAnalyzers::PACKETANALYZER_ANALYZER_LLC
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RLOGIN
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RSH
- AllAnalyzers::ANALYZER_ANALYZER_LOGIN
- AllAnalyzers::ANALYZER_ANALYZER_NVT
- AllAnalyzers::ANALYZER_ANALYZER_RLOGIN
- AllAnalyzers::ANALYZER_ANALYZER_RSH
- AllAnalyzers::ANALYZER_ANALYZER_TELNET
- AllAnalyzers::ANALYZER_ANALYZER_MODBUS
- AllAnalyzers::PACKETANALYZER_ANALYZER_MPLS
- AllAnalyzers::ANALYZER_ANALYZER_MQTT
- AllAnalyzers::ANALYZER_ANALYZER_MYSQL
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NCP
- AllAnalyzers::ANALYZER_ANALYZER_NCP
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NETBIOSSSN
- AllAnalyzers::ANALYZER_ANALYZER_NETBIOSSSN
- AllAnalyzers::PACKETANALYZER_ANALYZER_NFLOG
- AllAnalyzers::PACKETANALYZER_ANALYZER_NOVELL_802_3
- AllAnalyzers::ANALYZER_ANALYZER_NTLM
- AllAnalyzers::ANALYZER_ANALYZER_NTP
- AllAnalyzers::PACKETANALYZER_ANALYZER_NULL
- AllAnalyzers::PACKETANALYZER_ANALYZER_PBB
- AllAnalyzers::FILES_ANALYZER_PE
- AllAnalyzers::ANALYZER_ANALYZER_PIA_TCP
- AllAnalyzers::ANALYZER_ANALYZER_PIA_UDP
- AllAnalyzers::ANALYZER_ANALYZER_POP3
- AllAnalyzers::PACKETANALYZER_ANALYZER_PPP
- AllAnalyzers::PACKETANALYZER_ANALYZER_PPPOE
- AllAnalyzers::PACKETANALYZER_ANALYZER_PPPSERIAL
- AllAnalyzers::ANALYZER_ANALYZER_RADIUS
- AllAnalyzers::ANALYZER_ANALYZER_RDP
- AllAnalyzers::ANALYZER_ANALYZER_RDPEUDP
- AllAnalyzers::ANALYZER_ANALYZER_RFB
- AllAnalyzers::PACKETANALYZER_ANALYZER_ROOT
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NFS
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RPC
- AllAnalyzers::ANALYZER_ANALYZER_MOUNT
- AllAnalyzers::ANALYZER_ANALYZER_NFS
- AllAnalyzers::ANALYZER_ANALYZER_PORTMAPPER
- AllAnalyzers::ANALYZER_ANALYZER_SIP
- AllAnalyzers::PACKETANALYZER_ANALYZER_SKIP
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_SMB
- AllAnalyzers::ANALYZER_ANALYZER_SMB
- AllAnalyzers::ANALYZER_ANALYZER_SMTP
- AllAnalyzers::ANALYZER_ANALYZER_SMTP_BDAT
- AllAnalyzers::PACKETANALYZER_ANALYZER_SNAP
- AllAnalyzers::ANALYZER_ANALYZER_SNMP
- AllAnalyzers::ANALYZER_ANALYZER_SOCKS
- AllAnalyzers::ANALYZER_ANALYZER_FINGER
- AllAnalyzers::ANALYZER_ANALYZER_LDAP_TCP
- AllAnalyzers::ANALYZER_ANALYZER_LDAP_UDP
- AllAnalyzers::ANALYZER_ANALYZER_POSTGRESQL
- AllAnalyzers::ANALYZER_ANALYZER_QUIC
- AllAnalyzers::ANALYZER_ANALYZER_SYSLOG
- AllAnalyzers::ANALYZER_ANALYZER_SPICY_WEBSOCKET
- AllAnalyzers::ANALYZER_ANALYZER_SSH
- AllAnalyzers::ANALYZER_ANALYZER_DTLS
- AllAnalyzers::ANALYZER_ANALYZER_SSL
- AllAnalyzers::ANALYZER_ANALYZER_STREAM_EVENT
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTLINE
- AllAnalyzers::ANALYZER_ANALYZER_CONTENTS
- AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS
- AllAnalyzers::PACKETANALYZER_ANALYZER_TCP
- AllAnalyzers::ANALYZER_ANALYZER_TCP
- AllAnalyzers::PACKETANALYZER_ANALYZER_TEREDO
- AllAnalyzers::PACKETANALYZER_ANALYZER_UDP
- AllAnalyzers::ANALYZER_ANALYZER_UDP
- AllAnalyzers::PACKETANALYZER_ANALYZER_UNKNOWN_IP_TRANSPORT
- AllAnalyzers::ANALYZER_ANALYZER_UNKNOWN_IP_TRANSPORT
- AllAnalyzers::PACKETANALYZER_ANALYZER_VLAN
- AllAnalyzers::PACKETANALYZER_ANALYZER_VNTAG
- AllAnalyzers::PACKETANALYZER_ANALYZER_VXLAN
- AllAnalyzers::ANALYZER_ANALYZER_WEBSOCKET
- AllAnalyzers::FILES_ANALYZER_OCSP_REPLY
- AllAnalyzers::FILES_ANALYZER_OCSP_REQUEST
- AllAnalyzers::FILES_ANALYZER_X509
- AllAnalyzers::ANALYZER_ANALYZER_XMPP
- AllAnalyzers::ANALYZER_ANALYZER_ZIP
Zeek::BitTorrent
BitTorrent Analyzer
Components
Events
- bittorrent_peer_handshake
-
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_keep_alive
- Type:
event
(c:connection
, is_orig:bool
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_choke
- Type:
event
(c:connection
, is_orig:bool
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_unchoke
- Type:
event
(c:connection
, is_orig:bool
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_interested
- Type:
event
(c:connection
, is_orig:bool
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_not_interested
- Type:
event
(c:connection
, is_orig:bool
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_have
- Type:
event
(c:connection
, is_orig:bool
, piece_index:count
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_bitfield
- Type:
event
(c:connection
, is_orig:bool
, bitfield:string
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_request
-
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_piece
-
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_cancel
-
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_port
- Type:
event
(c:connection
, is_orig:bool
, listen_port:port
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bittorrent_peer_unknown
- Type:
event
(c:connection
, is_orig:bool
, message_id:count
, data:string
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_weird
- bittorrent_peer_weird
- Type:
event
(c:connection
, is_orig:bool
, msg:string
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
- bt_tracker_request
- Type:
event
(c:connection
, uri:string
, headers:bt_tracker_headers
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bt_tracker_response
- Type:
event
(c:connection
, status:count
, headers:bt_tracker_headers
, peers:bittorrent_peer_set
, benc:bittorrent_benc_dir
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bt_tracker_response_not_ok
- Type:
event
(c:connection
, status:count
, headers:bt_tracker_headers
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
- bt_tracker_weird
- Type:
event
(c:connection
, is_orig:bool
, msg:string
)
TODO.
See Wikipedia for more information about the BitTorrent protocol.
See also:
bittorrent_peer_bitfield
,bittorrent_peer_cancel
,bittorrent_peer_choke
,bittorrent_peer_handshake
,bittorrent_peer_have
,bittorrent_peer_interested
,bittorrent_peer_keep_alive
,bittorrent_peer_not_interested
,bittorrent_peer_piece
,bittorrent_peer_port
,bittorrent_peer_request
,bittorrent_peer_unchoke
,bittorrent_peer_unknown
,bittorrent_peer_weird
Zeek::Cluster_WebSocket
Provides WebSocket access to a Zeek cluster
Components
Events
- Cluster::websocket_client_added
- Type:
event
(endpoint:Cluster::EndpointInfo
, subscriptions:string_vec
)
Generated when a new WebSocket client has connected.
- Parameters:
endpoint – Various information about the WebSocket client.
subscriptions – The WebSocket client’s subscriptions as provided in the handshake.
- Cluster::websocket_client_lost
- Type:
event
(endpoint:Cluster::EndpointInfo
)
Generated when a WebSocket client was lost.
- Parameters:
endpoint – Various information about the WebSocket client.
Zeek::ConnSize
Connection size analyzer
Components
Events
- conn_bytes_threshold_crossed
- Type:
event
(c:connection
, threshold:count
, is_orig:bool
)
Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use
ConnThreshold::bytes_threshold_crossed
instead.- Parameters:
c – the connection
threshold – the threshold that was set
is_orig – true if the threshold was crossed by the originator of the connection
See also:
set_current_conn_packets_threshold
,set_current_conn_bytes_threshold
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,conn_duration_threshold_crossed
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- conn_packets_threshold_crossed
- Type:
event
(c:connection
, threshold:count
, is_orig:bool
)
Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use
ConnThreshold::packets_threshold_crossed
instead.- Parameters:
c – the connection
threshold – the threshold that was set
is_orig – true if the threshold was crossed by the originator of the connection
See also:
set_current_conn_packets_threshold
,set_current_conn_bytes_threshold
,conn_bytes_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,conn_duration_threshold_crossed
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- conn_duration_threshold_crossed
- Type:
event
(c:connection
, threshold:interval
, is_orig:bool
)
Generated for a connection that crossed a set duration threshold. Note that this is a low level event that should usually be avoided for user code. Use
ConnThreshold::duration_threshold_crossed
instead.Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.
- Parameters:
c – the connection
threshold – the threshold that was set
is_orig – true if the threshold was crossed by the originator of the connection
See also:
set_current_conn_packets_threshold
,set_current_conn_bytes_threshold
,conn_bytes_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
Functions
- set_current_conn_bytes_threshold
-
Sets the current byte threshold for connection sizes, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (
ConnThreshold::set_bytes_threshold
).- Parameters:
cid – The connection id.
threshold – Threshold in bytes.
is_orig – If true, threshold is set for bytes from originator, otherwise for bytes from responder.
See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- set_current_conn_packets_threshold
-
Sets a threshold for connection packets, overwriting any potential old thresholds. Be aware that in nearly any case you will want to use the high level API instead (
ConnThreshold::set_packets_threshold
).- Parameters:
cid – The connection id.
threshold – Threshold in packets.
is_orig – If true, threshold is set for packets from originator, otherwise for packets from responder.
See also:
set_current_conn_bytes_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- set_current_conn_duration_threshold
-
Sets the current duration threshold for connection, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (
ConnThreshold::set_duration_threshold
).- Parameters:
cid – The connection id.
threshold – Threshold in seconds.
See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,get_current_conn_packets_threshold
,get_current_conn_duration_threshold
- get_current_conn_bytes_threshold
- Type:
- Parameters:
cid – The connection id.
is_orig – If true, threshold of originator, otherwise threshold of responder.
- Returns:
0 if no threshold is set or the threshold in bytes
See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- get_current_conn_packets_threshold
-
Gets the current packet threshold size for a connection.
- Parameters:
cid – The connection id.
is_orig – If true, threshold of originator, otherwise threshold of responder.
- Returns:
0 if no threshold is set or the threshold in packets
See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_bytes_threshold
,set_current_conn_duration_threshold
,get_current_conn_duration_threshold
- get_current_conn_duration_threshold
-
Gets the current duration threshold size for a connection.
- Parameters:
cid – The connection id.
- Returns:
0 if no threshold is set or the threshold in seconds
See also:
set_current_conn_packets_threshold
,conn_bytes_threshold_crossed
,conn_packets_threshold_crossed
,get_current_conn_packets_threshold
,set_current_conn_duration_threshold
Zeek::DCE_RPC
DCE-RPC analyzer
Components
Options/Constants
- DCE_RPC::max_cmd_reassembly
-
The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.
- DCE_RPC::max_frag_data
-
The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.
Types
- DCE_RPC::PType
- Type:
-
- DCE_RPC::REQUEST
- DCE_RPC::PING
- DCE_RPC::RESPONSE
- DCE_RPC::FAULT
- DCE_RPC::WORKING
- DCE_RPC::NOCALL
- DCE_RPC::REJECT
- DCE_RPC::ACK
- DCE_RPC::CL_CANCEL
- DCE_RPC::FACK
- DCE_RPC::CANCEL_ACK
- DCE_RPC::BIND
- DCE_RPC::BIND_ACK
- DCE_RPC::BIND_NAK
- DCE_RPC::ALTER_CONTEXT
- DCE_RPC::ALTER_CONTEXT_RESP
- DCE_RPC::AUTH3
- DCE_RPC::SHUTDOWN
- DCE_RPC::CO_CANCEL
- DCE_RPC::ORPHANED
- DCE_RPC::RTS
Events
- dce_rpc_message
- Type:
event
(c:connection
, is_orig:bool
, fid:count
, ptype_id:count
, ptype:DCE_RPC::PType
)
Generated for every DCE-RPC message.
- Parameters:
c – The connection.
is_orig – True if the message was sent by the originator of the TCP connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ptype_id – Numeric representation of the procedure type of the message.
ptype – Enum representation of the procedure type of the message.
See also:
dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
- dce_rpc_bind
- Type:
event
(c:connection
, fid:count
, ctx_id:count
, uuid:string
, ver_major:count
, ver_minor:count
)
Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
- Parameters:
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
uuid – The string interpreted uuid of the endpoint being requested.
ver_major – The major version of the endpoint being requested.
ver_minor – The minor version of the endpoint being requested.
See also:
dce_rpc_message
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
- dce_rpc_alter_context
- Type:
event
(c:connection
, fid:count
, ctx_id:count
, uuid:string
, ver_major:count
, ver_minor:count
)
Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
- Parameters:
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
uuid – The string interpreted uuid of the endpoint being requested.
ver_major – The major version of the endpoint being requested.
ver_minor – The minor version of the endpoint being requested.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
,dce_rpc_alter_context_resp
- dce_rpc_bind_ack
- Type:
event
(c:connection
, fid:count
, sec_addr:string
)
Generated for every DCE-RPC bind request ack message.
- Parameters:
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
sec_addr – Secondary address for the ack.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_request
,dce_rpc_response
- dce_rpc_alter_context_resp
- Type:
event
(c:connection
, fid:count
)
Generated for every DCE-RPC alter context response message.
- Parameters:
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
,dce_rpc_alter_context
- dce_rpc_request
-
Generated for every DCE-RPC request message.
- Parameters:
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub_len – Length of the data for the request.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_response
,dce_rpc_request_stub
- dce_rpc_response
-
Generated for every DCE-RPC response message.
- Parameters:
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub_len – Length of the data for the response.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response_stub
- dce_rpc_request_stub
-
Generated for every DCE-RPC request message.
- Parameters:
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub – The data for the request.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_response_stub
,dce_rpc_request
- dce_rpc_response_stub
-
Generated for every DCE-RPC response message.
- Parameters:
c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub – The data for the response.
See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request_stub
,dce_rpc_response
Zeek::DHCP
DHCP analyzer
Components
Types
- DHCP::Msg
- Type:
-
- op:
count
Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
- m_type:
count
The type of DHCP message.
- xid:
count
Transaction ID of a DHCP session.
- secs:
interval
Number of seconds since client began address acquisition or renewal process
flags:
count
- ciaddr:
addr
Original IP address of the client.
- yiaddr:
addr
IP address assigned to the client.
- siaddr:
addr
IP address of the server.
- giaddr:
addr
IP address of the relaying gateway.
- chaddr:
string
Client hardware address.
- sname:
string
&default
=""
&optional
Server host name.
- file_n:
string
&default
=""
&optional
Boot file name.
- op:
A DHCP message.
See also:
dhcp_message
- DHCP::Addrs
-
A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.
See also:
dhcp_message
- DHCP::SubOpt
-
DHCP Relay Agent Information Option (Option 82)
See also:
dhcp_message
- DHCP::SubOpts
- Type:
- DHCP::ClientFQDN
- Type:
DHCP Client FQDN Option information (Option 81)
- DHCP::ClientID
-
DHCP Client Identifier (Option 61)
See also:
dhcp_message
- DHCP::Options
- Type:
-
- options:
index_vec
&optional
The ordered list of all DHCP option numbers.
- subnet_mask:
addr
&optional
Subnet Mask Value (option 1)
- routers:
DHCP::Addrs
&optional
Router addresses (option 3)
- dns_servers:
DHCP::Addrs
&optional
DNS Server addresses (option 6)
- host_name:
string
&optional
The Hostname of the client (option 12)
- domain_name:
string
&optional
The DNS domain name of the client (option 15)
- forwarding:
bool
&optional
Enable/Disable IP Forwarding (option 19)
- broadcast:
addr
&optional
Broadcast Address (option 28)
- vendor:
string
&optional
Vendor specific data. This can frequently be unparsed binary data. (option 43)
- nbns:
DHCP::Addrs
&optional
NETBIOS name server list (option 44)
- addr_request:
addr
&optional
Address requested by the client (option 50)
- lease:
interval
&optional
Lease time offered by the server. (option 51)
- serv_addr:
addr
&optional
Server address to allow clients to distinguish between lease offers. (option 54)
- param_list:
index_vec
&optional
DHCP Parameter Request list (option 55)
- message:
string
&optional
Textual error message (option 56)
- max_msg_size:
count
&optional
Maximum Message Size (option 57)
- renewal_time:
interval
&optional
This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)
- rebinding_time:
interval
&optional
This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)
- vendor_class:
string
&optional
This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)
- client_id:
DHCP::ClientID
&optional
DHCP Client Identifier (Option 61)
- user_class:
string
&optional
User Class opaque value (Option 77)
- client_fqdn:
DHCP::ClientFQDN
&optional
DHCP Client FQDN (Option 81)
- sub_opt:
DHCP::SubOpts
&optional
DHCP Relay Agent Information Option (Option 82)
- auto_config:
bool
&optional
Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)
- auto_proxy_config:
string
&optional
URL to find a proxy.pac for auto proxy config (Option 252)
- time_offset:
int
&optional
The offset of the client’s subnet in seconds from UTC. (Option 2)
- time_servers:
DHCP::Addrs
&optional
A list of RFC 868 time servers available to the client. (Option 4)
- name_servers:
DHCP::Addrs
&optional
A list of IEN 116 name servers available to the client. (Option 5)
- ntp_servers:
DHCP::Addrs
&optional
A list of IP addresses indicating NTP servers available to the client. (Option 42)
- options:
Events
- dhcp_message
- Type:
event
(c:connection
, is_orig:bool
, msg:DHCP::Msg
, options:DHCP::Options
)
Generated for all DHCP messages.
- Parameters:
c – The connection record describing the underlying UDP flow.
is_orig – Indicate if the message came in a packet from the originator/client of the udp flow or the responder/server.
msg – The parsed type-independent part of the DHCP message. The message type is indicated in this record.
options – The full set of supported and parsed DHCP options.
Zeek::DNP3
DNP3 UDP/TCP analyzers
Components
Events
- dnp3_application_request_header
- Type:
event
(c:connection
, is_orig:bool
, application:count
, fc:count
)
Generated for a DNP3 request header.
- Parameters:
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
fc – function code.
- dnp3_application_response_header
-
Generated for a DNP3 response header.
- Parameters:
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
fc – function code.
iin – internal indication number.
- dnp3_object_header
- Type:
event
(c:connection
, is_orig:bool
, obj_type:count
, qua_field:count
, number:count
, rf_low:count
, rf_high:count
)
Generated for the object header found in both DNP3 requests and responses.
- Parameters:
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
obj_type – type of object, which is classified based on an 8-bit group number and an 8-bit variation number.
qua_field – qualifier field.
number – TODO.
rf_low – the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values.
rf_high – in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index.
- dnp3_object_prefix
- Type:
event
(c:connection
, is_orig:bool
, prefix_value:count
)
Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.
- Parameters:
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
prefix_value – The prefix.
- dnp3_header_block
- Type:
event
(c:connection
, is_orig:bool
, len:count
, ctrl:count
, dest_addr:count
, src_addr:count
)
Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).
- Parameters:
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
len – the “length” field in the DNP3 Pseudo Link Layer.
ctrl – the “control” field in the DNP3 Pseudo Link Layer.
dest_addr – the “destination” field in the DNP3 Pseudo Link Layer.
src_addr – the “source” field in the DNP3 Pseudo Link Layer.
- dnp3_response_data_object
- Type:
event
(c:connection
, is_orig:bool
, data_value:count
)
Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16_t, or int8_t; thus we use an additional data_value to record the values of those object data.
- Parameters:
c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
data_value – The value for those objects that carry their information here directly.
- dnp3_attribute_common
- Type:
event
(c:connection
, is_orig:bool
, data_type_code:count
, leng:count
, attribute_obj:string
)
Generated for DNP3 attributes.
- dnp3_crob
- Type:
event
(c:connection
, is_orig:bool
, control_code:count
, count8:count
, on_time:count
, off_time:count
, status_code:count
)
Generated for DNP3 objects with the group number 12 and variation number 1
- Parameters:
CROB – control relay output block
- dnp3_pcb
- Type:
event
(c:connection
, is_orig:bool
, control_code:count
, count8:count
, on_time:count
, off_time:count
, status_code:count
)
Generated for DNP3 objects with the group number 12 and variation number 2
- Parameters:
PCB – Pattern Control Block
- dnp3_counter_32wFlag
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)
Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag
- dnp3_counter_16wFlag
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)
Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag
- dnp3_counter_32woFlag
- Type:
event
(c:connection
, is_orig:bool
, count_value:count
)
Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag
- dnp3_counter_16woFlag
- Type:
event
(c:connection
, is_orig:bool
, count_value:count
)
Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag
- dnp3_frozen_counter_32wFlag
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)
Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag
- dnp3_frozen_counter_16wFlag
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, count_value:count
)
Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag
- dnp3_frozen_counter_32wFlagTime
-
Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time
- dnp3_frozen_counter_16wFlagTime
-
Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time
- dnp3_frozen_counter_32woFlag
- Type:
event
(c:connection
, is_orig:bool
, count_value:count
)
Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag
- dnp3_frozen_counter_16woFlag
- Type:
event
(c:connection
, is_orig:bool
, count_value:count
)
Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag
- dnp3_analog_input_32wFlag
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag
- dnp3_analog_input_16wFlag
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag
- dnp3_analog_input_32woFlag
- Type:
event
(c:connection
, is_orig:bool
, value:count
)
Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag
- dnp3_analog_input_16woFlag
- Type:
event
(c:connection
, is_orig:bool
, value:count
)
Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag
- dnp3_analog_input_SPwFlag
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag
- dnp3_analog_input_DPwFlag
-
Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag
- dnp3_frozen_analog_input_32wFlag
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag
- dnp3_frozen_analog_input_16wFlag
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag
- dnp3_frozen_analog_input_32wTime
-
Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze
- dnp3_frozen_analog_input_16wTime
-
Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze
- dnp3_frozen_analog_input_32woFlag
- Type:
event
(c:connection
, is_orig:bool
, frozen_value:count
)
Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag
- dnp3_frozen_analog_input_16woFlag
- Type:
event
(c:connection
, is_orig:bool
, frozen_value:count
)
Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag
- dnp3_frozen_analog_input_SPwFlag
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag
- dnp3_frozen_analog_input_DPwFlag
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value_low:count
, frozen_value_high:count
)
Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag
- dnp3_analog_input_event_32woTime
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time
- dnp3_analog_input_event_16woTime
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time
- dnp3_analog_input_event_32wTime
-
Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time
- dnp3_analog_input_event_16wTime
-
Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time
- dnp3_analog_input_event_SPwoTime
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, value:count
)
Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time
- dnp3_analog_input_event_DPwoTime
-
Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time
- dnp3_analog_input_event_SPwTime
-
Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time
- dnp3_analog_input_event_DPwTime
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, value_low:count
, value_high:count
, time48:count
)
Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precision float point with time
- dnp3_frozen_analog_input_event_32woTime
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time
- dnp3_frozen_analog_input_event_16woTime
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time
- dnp3_frozen_analog_input_event_32wTime
-
Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time
- dnp3_frozen_analog_input_event_16wTime
-
Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time
- dnp3_frozen_analog_input_event_SPwoTime
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value:count
)
Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time
- dnp3_frozen_analog_input_event_DPwoTime
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value_low:count
, frozen_value_high:count
)
Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time
- dnp3_frozen_analog_input_event_SPwTime
-
Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time
- dnp3_frozen_analog_input_event_DPwTime
- Type:
event
(c:connection
, is_orig:bool
, flag:count
, frozen_value_low:count
, frozen_value_high:count
, time48:count
)
Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time
- dnp3_file_transport
-
g70
- dnp3_debug_byte
- Type:
event
(c:connection
, is_orig:bool
, debug:string
)
Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.
Zeek::DNS
DNS analyzer
Components
Events
- dns_message
- Type:
event
(c:connection
, is_orig:bool
, msg:dns_msg
, len:count
)
Generated for all DNS messages.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
is_orig – True if the message was sent by the originator of the connection.
msg – The parsed DNS message header.
len – The length of the message’s raw representation (i.e., the DNS payload).
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_request
- Type:
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)- Type:
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)
Generated for DNS requests. For requests with multiple queries, this event is raised once for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
query – The queried name (normalized to all lowercase).
qtype – The queried resource record type.
qclass – The queried resource record class.
original_query – The queried name, with the original case kept intact
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_rejected
- Type:
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)- Type:
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)
Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
query – The queried name (normalized to all lowercase).
qtype – The queried resource record type.
qclass – The queried resource record class.
original_query – The queried name, with the original case kept intact
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_query_reply
- Type:
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)- Type:
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)
Generated for each entry in the Question section of a DNS reply.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
query – The queried name.
qtype – The queried resource record type.
qclass – The queried resource record class.
original_query – The queried name, with the original case kept intact
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_A_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)
Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
a – The address returned by the reply.
See also:
dns_AAAA_reply
,dns_A6_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_AAAA_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)
Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
a – The address returned by the reply.
See also:
dns_A_reply
,dns_A6_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_A6_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)
Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
a – The address returned by the reply.
See also:
dns_A_reply
,dns_AAAA_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_NS_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)
Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_CNAME_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)
Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_PTR_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)
Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_SOA_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, soa:dns_soa
)
Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
soa – The parsed SOA value.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_WKS_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
)
Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_HINFO_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, cpu:string
, os:string
)
Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_MX_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
, preference:count
)
Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.
preference – The preference for name specified by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_TXT_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, strs:string_vec
)
Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
strs – The textual information returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_SPF_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, strs:string_vec
)
Generated for DNS replies of type SPF. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
strs – The textual information returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_CAA_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, flags:count
, tag:string
, value:string
)
Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
flags – The flags byte of the CAA reply.
tag – The property identifier of the CAA reply.
value – The property value of the CAA reply.
- dns_SRV_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, target:string
, priority:count
, weight:count
, p:count
)
Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
target – Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot.
priority – Priority of the SRV response – the priority of the target host, lower value means more preferred.
weight – Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred.
p – Port of the SRV response – the TCP or UDP port on which the service is to be found.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_unknown_reply
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
)
Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_SRV_reply
,dns_end
- dns_EDNS_addl
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_edns_additional
)
Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The parsed EDNS reply.
Note
Note that this event will only be raised if
dns_skip_all_addl
is set to false.See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_EDNS_ecs
- Type:
event
(c:connection
, msg:dns_msg
, opt:dns_edns_ecs
)
Generated for DNS replies of type EDNS. For replies with multiple options, an individual event is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
opt – The parsed EDNS option.
Note
Note that this event will only be raised if
dns_skip_all_addl
is set to false.See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_EDNS_tcp_keepalive
- Type:
event
(c:connection
, msg:dns_msg
, opt:dns_edns_tcp_keepalive
)
Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 11. For replies with multiple option fields, an individual event is raised for each.
See Wikipedia for more information about the DNS protocol. See RFC7828 for more information about EDNS0 TCP keepalive. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
opt – The parsed EDNS Keepalive option.
Note
Note that this event will only be raised if
dns_skip_all_addl
is set to false.See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_EDNS_cookie
- Type:
event
(c:connection
, msg:dns_msg
, opt:dns_edns_cookie
)
Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 10. For replies with multiple options fields, an individual event is raised for each.
See Wikipedia for more information about the DNS protocol. See RFC7873 for more information about EDNS0 cookie. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
opt – The parsed EDNS Cookie option.
Note
Note that this event will only be raised if
dns_skip_all_addl
is set to false.See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_TKEY
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_tkey
)
Generated for DNS replies of type TKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. See RFC2930 for more information about TKEY. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The parsed TKEY reply.
Note
Note that
ans
will only be populated ifdns_skip_all_addl
is set to false.See also:
dns_TSIG_addl
- dns_TSIG_addl
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_tsig_additional
)
Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The parsed TSIG reply.
Note
Note that this event will only be raised if
dns_skip_all_addl
is set to false.See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_RRSIG
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, rrsig:dns_rrsig_rr
)
Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
rrsig – The parsed RRSIG record.
- dns_DNSKEY
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, dnskey:dns_dnskey_rr
)
Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
dnskey – The parsed DNSKEY record.
- dns_NSEC
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, next_name:string
, bitmaps:string_vec
)
Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
next_name – The parsed next secure domain name.
bitmaps – vector of strings in hex for the bit maps present.
- dns_NSEC3
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, nsec3:dns_nsec3_rr
)
Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
nsec3 – The parsed RDATA of Nsec3 record.
- dns_NSEC3PARAM
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, nsec3param:dns_nsec3param_rr
)
Generated for DNS replies of type NSEC3PARAM. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
nsec3param – The parsed RDATA of NSEC3PARAM record.
- dns_DS
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, ds:dns_ds_rr
)
Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
ds – The parsed RDATA of DS record.
- dns_BINDS
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, binds:dns_binds_rr
)
Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
binds – The parsed RDATA of BIND-Signing state record.
- dns_SSHFP
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, algo:count
, fptype:count
, fingerprint:string
)
Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
binds – The parsed RDATA of BIND-Signing state record.
- dns_LOC
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, loc:dns_loc_rr
)
Generated for DNS replies of type LOC. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
loc – The parsed RDATA of LOC type record.
- dns_SVCB
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, svcb:dns_svcb_rr
)
Generated for DNS replies of type SVCB (General Purpose Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
svcb – The parsed RDATA of SVCB type record.
- dns_HTTPS
- Type:
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, https:dns_svcb_rr
)
Generated for DNS replies of type HTTPS (HTTPS Specific Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. Since SVCB and HTTPS records share the same wire format layout, the argument https is dns_svcb_rr. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
https – The parsed RDATA of HTTPS type record.
- dns_end
- Type:
event
(c:connection
, msg:dns_msg
)
Generated at the end of processing a DNS packet. This event is the last
dns_*
event that will be raised for a DNS query/reply and signals that all resource records have been passed on.See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- Parameters:
c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
Zeek::File
Generic file analyzer
Components
Events
- file_transferred
- Type:
event
(c:connection
, prefix:string
, descr:string
, mime_type:string
)
Generated when a TCP connection associated w/ file data transfer is seen (e.g. as happens w/ FTP or IRC).
- Parameters:
c – The connection over which file data is transferred.
prefix – Up to 1024 bytes of the file data.
descr – Deprecated/unused argument.
mime_type – MIME type of the file or “<unknown>” if no file magic signatures matched.
Zeek::Finger
Finger analyzer
Components
Types
- spicy::AddressFamily
- spicy::ByteOrder
- spicy::Charset
- spicy::DecodeErrorStrategy
- spicy::Protocol
- spicy::RealType
- spicy::ReassemblerPolicy
Events
- finger_request
- Type:
event
(c:connection
, full:bool
, username:string
, hostname:string
)
Generated for Finger requests.
See Wikipedia for more information about the Finger protocol.
- Parameters:
c – The connection.
full – True if verbose information is requested (
/W
switch).username – The request’s user name.
hostname – The request’s host name.
See also:
finger_reply
- finger_reply
- Type:
event
(c:connection
, reply_line:string
)
Generated for Finger replies.
See Wikipedia for more information about the Finger protocol.
- Parameters:
c – The connection.
reply_line – The reply as returned by the server
See also:
finger_request
Zeek::FTP
FTP analyzer
Components
Types
- ftp_port
- Type:
A parsed host/port combination describing server endpoint for an upcoming data transfer.
See also:
fmt_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,parse_ftp_pasv
,parse_ftp_port
Events
- ftp_request
- Type:
event
(c:connection
, command:string
, arg:string
)
Generated for client-side FTP commands.
See Wikipedia for more information about the FTP protocol.
- Parameters:
c – The connection.
command – The FTP command issued by the client (without any arguments).
arg – The arguments going with the command.
See also:
ftp_reply
,fmt_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,parse_ftp_pasv
,parse_ftp_port
- ftp_reply
- Type:
event
(c:connection
, code:count
, msg:string
, cont_resp:bool
)
Generated for server-side FTP replies.
See Wikipedia for more information about the FTP protocol.
- Parameters:
c – The connection.
code – The numerical response code the server responded with.
msg – The textual message of the response.
cont_resp – True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.
See also:
ftp_request
,fmt_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,parse_ftp_pasv
,parse_ftp_port
Functions
- parse_ftp_port
-
Converts a string representation of the FTP PORT command to an
ftp_port
.- Parameters:
s – The string of the FTP PORT command, e.g.,
"10,0,0,1,4,31"
.- Returns:
The FTP PORT, e.g.,
[h=10.0.0.1, p=1055/tcp, valid=T]
.
See also:
parse_eftp_port
,parse_ftp_pasv
,parse_ftp_epsv
,fmt_ftp_port
- parse_eftp_port
-
Converts a string representation of the FTP EPRT command (see RFC 2428) to an
ftp_port
. The format is"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"
, where<d>
is a delimiter in the ASCII range 33-126 (usually|
).- Parameters:
s – The string of the FTP EPRT command, e.g.,
"|1|10.0.0.1|1055|"
.- Returns:
The FTP PORT, e.g.,
[h=10.0.0.1, p=1055/tcp, valid=T]
.
See also:
parse_ftp_port
,parse_ftp_pasv
,parse_ftp_epsv
,fmt_ftp_port
- parse_ftp_pasv
-
Converts the result of the FTP PASV command to an
ftp_port
.- Parameters:
str – The string containing the result of the FTP PASV command.
- Returns:
The FTP PORT, e.g.,
[h=10.0.0.1, p=1055/tcp, valid=T]
.
See also:
parse_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,fmt_ftp_port
- parse_ftp_epsv
-
Converts the result of the FTP EPSV command (see RFC 2428) to an
ftp_port
. The format is"<text> (<d><d><d><tcp-port><d>)"
, where<d>
is a delimiter in the ASCII range 33-126 (usually|
).- Parameters:
str – The string containing the result of the FTP EPSV command.
- Returns:
The FTP PORT, e.g.,
[h=10.0.0.1, p=1055/tcp, valid=T]
.
See also:
parse_ftp_port
,parse_eftp_port
,parse_ftp_pasv
,fmt_ftp_port
- fmt_ftp_port
-
Formats an IP address and TCP port as an FTP PORT command. For example,
10.0.0.1
and1055/tcp
yields"10,0,0,1,4,31"
.- Parameters:
a – The IP address.
p – The TCP port.
- Returns:
The FTP PORT string.
See also:
parse_ftp_port
,parse_eftp_port
,parse_ftp_pasv
,parse_ftp_epsv
Zeek::Gnutella
Gnutella analyzer
Components
Events
- gnutella_text_msg
- Type:
event
(c:connection
, orig:bool
, headers:string
)
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_binary_msg
,gnutella_establish
,gnutella_http_notify
,gnutella_not_establish
,gnutella_partial_binary_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- gnutella_binary_msg
- Type:
event
(c:connection
, orig:bool
, msg_type:count
, ttl:count
, hops:count
, msg_len:count
, payload:string
, payload_len:count
, trunc:bool
, complete:bool
)
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_establish
,gnutella_http_notify
,gnutella_not_establish
,gnutella_partial_binary_msg
,gnutella_text_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- gnutella_partial_binary_msg
- Type:
event
(c:connection
, orig:bool
, msg:string
, len:count
)
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_binary_msg
,gnutella_establish
,gnutella_http_notify
,gnutella_not_establish
,gnutella_text_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- gnutella_establish
- Type:
event
(c:connection
)
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_binary_msg
,gnutella_http_notify
,gnutella_not_establish
,gnutella_partial_binary_msg
,gnutella_text_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- gnutella_not_establish
- Type:
event
(c:connection
)
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_binary_msg
,gnutella_establish
,gnutella_http_notify
,gnutella_partial_binary_msg
,gnutella_text_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- gnutella_http_notify
- Type:
event
(c:connection
)
TODO.
See Wikipedia for more information about the Gnutella protocol.
See also:
gnutella_binary_msg
,gnutella_establish
,gnutella_not_establish
,gnutella_partial_binary_msg
,gnutella_text_msg
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::GSSAPI
GSSAPI analyzer
Components
Events
- gssapi_neg_result
- Type:
event
(c:connection
, state:count
)
Generated for GSSAPI negotiation results.
- Parameters:
c – The connection.
state – The resulting state of the negotiation.
Zeek::HTTP
HTTP analyzer
Components
Events
- http_request
- Type:
event
(c:connection
, method:string
, original_URI:string
, unescaped_URI:string
, version:string
)
Generated for HTTP requests. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a request’s initial line has been parsed, and before any
http_header
events are raised.See Wikipedia for more information about the HTTP protocol.
- Parameters:
c – The connection.
method – The HTTP method extracted from the request (e.g.,
GET
,POST
).original_URI – The unprocessed URI as specified in the request.
unescaped_URI – The URI with all percent-encodings decoded.
version – The version number specified in the request (e.g.,
1.1
).
See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_stats
,truncate_http_URI
,http_connection_upgrade
- http_reply
- Type:
event
(c:connection
, version:string
, code:count
, reason:string
)
Generated for HTTP replies. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a reply’s initial line has been parsed, and before any
http_header
events are raised.See Wikipedia for more information about the HTTP protocol.
- Parameters:
c – The connection.
version – The version number specified in the reply (e.g.,
1.1
).code – The numerical response code returned by the server.
reason – The textual description returned by the server along with code.
See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_request
,http_stats
,http_connection_upgrade
- http_header
- Type:
event
(c:connection
, is_orig:bool
, original_name:string
, name:string
, value:string
)- Type:
event
(c:connection
, is_orig:bool
, name:string
, value:string
)
Generated for HTTP headers. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.
See Wikipedia for more information about the HTTP protocol.
- Parameters:
c – The connection.
is_orig – True if the header was sent by the originator of the TCP connection.
original_name – The name of the header (unaltered).
name – The name of the header (converted to all uppercase).
value – The value of the header.
See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_message_done
,http_reply
,http_request
,http_stats
,http_connection_upgrade
Note
This event is also raised for headers found in nested body entities.
- http_all_headers
- Type:
event
(c:connection
, is_orig:bool
, hlist:mime_header_list
)
Generated for HTTP headers, passing on all headers of an HTTP message at once. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.
See Wikipedia for more information about the HTTP protocol.
- Parameters:
c – The connection.
is_orig – True if the header was sent by the originator of the TCP connection.
hlist – A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).
See also:
http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,http_connection_upgrade
Note
This event is also raised for headers found in nested body entities.
- http_begin_entity
- Type:
event
(c:connection
, is_orig:bool
)
Generated when starting to parse an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event just before it starts parsing each entity’s content.
See Wikipedia for more information about the HTTP protocol.
- Parameters:
c – The connection.
is_orig – True if the entity was sent by the originator of the TCP connection.
See also:
http_all_headers
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,mime_begin_entity
,http_connection_upgrade
- http_end_entity
- Type:
event
(c:connection
, is_orig:bool
)
Generated when finishing parsing an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event at the point when it has finished parsing an entity’s content.
See Wikipedia for more information about the HTTP protocol.
- Parameters:
c – The connection.
is_orig – True if the entity was sent by the originator of the TCP connection.
See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,mime_end_entity
,http_connection_upgrade
- http_entity_data
- Type:
event
(c:connection
, is_orig:bool
, length:count
, data:string
)
Generated when parsing an HTTP body entity, passing on the data. This event can potentially be raised many times for each entity, each time passing a chunk of the data of not further defined size.
A common idiom for using this event is to first reassemble the data at the scripting layer by concatenating it to a successively growing string; and only perform further content analysis once the corresponding
http_end_entity
event has been raised. Note, however, that doing so can be quite expensive for HTTP tranders. At the very least, one should impose an upper size limit on how much data is being buffered.See Wikipedia for more information about the HTTP protocol.
- Parameters:
c – The connection.
is_orig – True if the entity was sent by the originator of the TCP connection.
length – The length of data.
data – One chunk of raw entity data.
See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,mime_entity_data
,http_entity_data_delivery_size
,skip_http_data
,http_connection_upgrade
- http_content_type
- Type:
event
(c:connection
, is_orig:bool
, ty:string
, subty:string
)
Generated for reporting an HTTP body’s content type. This event is generated at the end of parsing an HTTP header, passing on the MIME type as specified by the
Content-Type
header. If that header is missing, this event is still raised with a default value oftext/plain
.See Wikipedia for more information about the HTTP protocol.
- Parameters:
c – The connection.
is_orig – True if the entity was sent by the originator of the TCP connection.
ty – The main type.
subty – The subtype.
See also:
http_all_headers
,http_begin_entity
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,http_connection_upgrade
Note
This event is also raised for headers found in nested body entities.
- http_message_done
- Type:
event
(c:connection
, is_orig:bool
, stat:http_message_stat
)
Generated once at the end of parsing an HTTP message. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. A “message” is one top-level HTTP entity, such as a complete request or reply. Each message can have further nested sub-entities inside. This event is raised once all sub-entities belonging to a top-level message have been processed (and their corresponding
http_entity_*
events generated).See Wikipedia for more information about the HTTP protocol.
- Parameters:
c – The connection.
is_orig – True if the entity was sent by the originator of the TCP connection.
stat – Further meta information about the message.
See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_reply
,http_request
,http_stats
,http_connection_upgrade
- http_event
- Type:
event
(c:connection
, event_type:string
, detail:string
)
Generated for errors found when decoding HTTP requests or replies.
See Wikipedia for more information about the HTTP protocol.
- Parameters:
c – The connection.
event_type – A string describing the general category of the problem found (e.g.,
illegal format
).detail – Further more detailed description of the error.
See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_header
,http_message_done
,http_reply
,http_request
,http_stats
,mime_event
,http_connection_upgrade
- http_stats
- Type:
event
(c:connection
, stats:http_stats_rec
)
Generated at the end of an HTTP session to report statistics about it. This event is raised after all of an HTTP session’s requests and replies have been fully processed.
- Parameters:
c – The connection.
stats – Statistics summarizing HTTP-level properties of the finished connection.
See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
,http_connection_upgrade
- http_connection_upgrade
- Type:
event
(c:connection
, protocol:string
)
Generated when a HTTP session is upgraded to a different protocol (e.g. websocket). This event is raised when a server replies with a HTTP 101 reply. No more HTTP events will be raised after this event.
- Parameters:
c – The connection.
protocol – The protocol to which the connection is switching.
See also:
http_all_headers
,http_begin_entity
,http_content_type
,http_end_entity
,http_entity_data
,http_event
,http_header
,http_message_done
,http_reply
,http_request
Functions
- skip_http_entity_data
- Type:
function
(c:connection
, is_orig:bool
) :any
Skips the data of the HTTP entity.
- Parameters:
c – The HTTP connection.
is_orig – If true, the client data is skipped, and the server data otherwise.
See also:
skip_smtp_data
- unescape_URI
-
Unescapes all characters in a URI (decode every
%xx
group).- Parameters:
URI – The URI to unescape.
- Returns:
The unescaped URI with all
%xx
groups decoded.
Note
Unescaping reserved characters may cause loss of information. RFC 2396: A URI is always in an “escaped” form, since escaping or unescaping a completed URI might change its semantics. Normally, the only time escape encodings can safely be made is when the URI is being created from its component parts.
Zeek::Ident
Ident analyzer
Components
Events
- ident_request
- Type:
event
(c:connection
, lport:port
, rport:port
)
Generated for Ident requests.
See Wikipedia for more information about the Ident protocol.
- Parameters:
c – The connection.
lport – The request’s local port.
rport – The request’s remote port.
See also:
ident_error
,ident_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- ident_reply
-
Generated for Ident replies.
See Wikipedia for more information about the Ident protocol.
- Parameters:
c – The connection.
lport – The corresponding request’s local port.
rport – The corresponding request’s remote port.
user_id – The user id returned by the reply.
system – The operating system returned by the reply.
See also:
ident_error
,ident_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- ident_error
- Type:
event
(c:connection
, lport:port
, rport:port
, line:string
)
Generated for Ident error replies.
See Wikipedia for more information about the Ident protocol.
- Parameters:
c – The connection.
lport – The corresponding request’s local port.
rport – The corresponding request’s remote port.
line – The error description returned by the reply.
See also:
ident_reply
,ident_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::IMAP
IMAP analyzer (StartTLS only)
Components
Events
- imap_capabilities
- Type:
event
(c:connection
, capabilities:string_vec
)
Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command.
- Parameters:
c – The connection.
capabilities – The list of IMAP capabilities as sent by the server.
- imap_starttls
- Type:
event
(c:connection
)
Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server.
- Parameters:
c – The connection.
Zeek::IRC
IRC analyzer
Components
Events
- irc_request
-
Generated for all client-side IRC commands.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – Always true.
prefix – The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
command – The command.
arguments – The arguments for the command.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
Note
This event is generated only for messages that originate at the client-side. Commands coming in from remote trigger the
irc_message
event instead.
- irc_reply
-
Generated for all IRC replies. IRC replies are sent in response to a request and come with a reply code.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
prefix – The optional prefix coming with the reply. IRC uses the prefix to indicate the true origin of a message.
code – The reply code, as specified by the protocol.
params – The reply’s parameters.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_message
-
Generated for IRC commands forwarded from the server to the client.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – Always false.
prefix – The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
command – The command.
message – TODO.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
Note
This event is generated only for messages that are forwarded by the server to the client. Commands coming from client trigger the
irc_request
event instead.
- irc_quit_message
- Type:
event
(c:connection
, is_orig:bool
, nick:string
, message:string
)
Generated for IRC messages of type quit. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
nick – The nickname coming with the message.
message – The text included with the message.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_privmsg_message
-
Generated for IRC messages of type privmsg. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
source – The source of the private communication.
target – The target of the private communication.
message – The text of communication.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_notice_message
-
Generated for IRC messages of type notice. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
source – The source of the private communication.
target – The target of the private communication.
message – The text of communication.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_squery_message
-
Generated for IRC messages of type squery. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
source – The source of the private communication.
target – The target of the private communication.
message – The text of communication.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_join_message
- Type:
event
(c:connection
, is_orig:bool
, info_list:irc_join_list
)
Generated for IRC messages of type join. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
info_list – The user information coming with the command.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_part_message
- Type:
event
(c:connection
, is_orig:bool
, nick:string
, chans:string_set
, message:string
)
Generated for IRC messages of type part. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
nick – The nickname coming with the message.
chans – The set of channels affected.
message – The text coming with the message.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_password_message
,irc_dcc_send_ack
- irc_nick_message
- Type:
event
(c:connection
, is_orig:bool
, who:string
, newnick:string
)
Generated for IRC messages of type nick. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
who – The user changing its nickname.
newnick – The new nickname.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_invalid_nick
- Type:
event
(c:connection
, is_orig:bool
)
Generated when a server rejects an IRC nickname.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_network_info
-
Generated for an IRC reply of type luserclient.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
users – The number of users as returned in the reply.
services – The number of services as returned in the reply.
servers – The number of servers as returned in the reply.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_server_info
-
Generated for an IRC reply of type luserme.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
users – The number of users as returned in the reply.
services – The number of services as returned in the reply.
servers – The number of servers as returned in the reply.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_channel_info
- Type:
event
(c:connection
, is_orig:bool
, chans:count
)
Generated for an IRC reply of type luserchannels.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
chans – The number of channels as returned in the reply.
See also:
irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_who_line
- Type:
event
(c:connection
, is_orig:bool
, target_nick:string
, channel:string
, user:string
, host:string
, server:string
, nick:string
, params:string
, hops:count
, real_name:string
)
Generated for an IRC reply of type whoreply.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
target_nick – The target nickname.
channel – The channel.
user – The user.
host – The host.
server – The server.
nick – The nickname.
params – The parameters.
hops – The hop count.
real_name – The real name.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_names_info
- Type:
event
(c:connection
, is_orig:bool
, c_type:string
, channel:string
, users:string_set
)
Generated for an IRC reply of type namereply.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
c_type – The channel type.
channel – The channel.
users – The set of users.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_whois_operator_line
- Type:
event
(c:connection
, is_orig:bool
, nick:string
)
Generated for an IRC reply of type whoisoperator.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
nick – The nickname specified in the reply.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_whois_channel_line
- Type:
event
(c:connection
, is_orig:bool
, nick:string
, chans:string_set
)
Generated for an IRC reply of type whoischannels.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
nick – The nickname specified in the reply.
chans – The set of channels returned.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_whois_user_line
- Type:
event
(c:connection
, is_orig:bool
, nick:string
, user:string
, host:string
, real_name:string
)
Generated for an IRC reply of type whoisuser.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
nick – The nickname specified in the reply.
user – The user name specified in the reply.
host – The host name specified in the reply.
real_name – The real name specified in the reply.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_oper_response
- Type:
event
(c:connection
, is_orig:bool
, got_oper:bool
)
Generated for IRC replies of type youreoper and nooperhost.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
got_oper – True if the oper command was executed successfully (youreport) and false otherwise (nooperhost).
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_global_users
- Type:
event
(c:connection
, is_orig:bool
, prefix:string
, msg:string
)
Generated for an IRC reply of type globalusers.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
prefix – The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
msg – The message coming with the reply.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_channel_topic
- Type:
event
(c:connection
, is_orig:bool
, channel:string
, topic:string
)
Generated for an IRC reply of type topic.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
channel – The channel name specified in the reply.
topic – The topic specified in the reply.
See also:
irc_channel_info
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_who_message
- Type:
event
(c:connection
, is_orig:bool
, mask:string
, oper:bool
)
Generated for IRC messages of type who. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
mask – The mask specified in the message.
oper – True if the operator flag was set.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_whois_message
- Type:
event
(c:connection
, is_orig:bool
, server:string
, users:string
)
Generated for IRC messages of type whois. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
server – TODO.
users – TODO.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_oper_message
- Type:
event
(c:connection
, is_orig:bool
, user:string
, password:string
)
Generated for IRC messages of type oper. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
user – The user specified in the message.
password – The password specified in the message.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_kick_message
- Type:
event
(c:connection
, is_orig:bool
, prefix:string
, chans:string
, users:string
, comment:string
)
Generated for IRC messages of type kick. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
prefix – The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
chans – The channels specified in the message.
users – The users specified in the message.
comment – The comment specified in the message.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_error_message
- Type:
event
(c:connection
, is_orig:bool
, prefix:string
, message:string
)
Generated for IRC messages of type error. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
prefix – The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
message – The textual description specified in the message.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_invite_message
-
Generated for IRC messages of type invite. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
prefix – The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
nickname – The nickname specified in the message.
channel – The channel specified in the message.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_mode_message
- Type:
event
(c:connection
, is_orig:bool
, prefix:string
, params:string
)
Generated for IRC messages of type mode. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
prefix – The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
params – The parameters coming with the message.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_squit_message
-
Generated for IRC messages of type squit. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
prefix – The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
server – The server specified in the message.
message – The textual description specified in the message.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_dcc_message
- Type:
event
(c:connection
, is_orig:bool
, prefix:string
, target:string
, dcc_type:string
, argument:string
, address:addr
, dest_port:count
, size:count
)
Generated for IRC messages of type dcc. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
See Wikipedia for more information about the DCC.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
prefix – The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.
target – The target specified in the message.
dcc_type – The DCC type specified in the message.
argument – The argument specified in the message.
address – The address specified in the message.
dest_port – The destination port specified in the message.
size – The size specified in the message.
See also:
irc_channel_info
,irc_channel_topic
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_dcc_send_ack
- Type:
event
(c:connection
, bytes_received:count
)
Generated for IRC messages of type dcc. This event is generated for DCC SEND acknowledge message.
See Wikipedia for more information about the IRC protocol.
See Wikipedia for more information about the DCC.
- Parameters:
c – The connection.
bytes_received – The number of bytes received as reported by the recipient.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
- irc_user_message
- Type:
event
(c:connection
, is_orig:bool
, user:string
, host:string
, server:string
, real_name:string
)
Generated for IRC messages of type user. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
user – The user specified in the message.
host – The host name specified in the message.
server – The server name specified in the message.
real_name – The real name specified in the message.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_password_message
,irc_dcc_send_ack
- irc_password_message
- Type:
event
(c:connection
, is_orig:bool
, password:string
)
Generated for IRC messages of type password. This event is generated for messages coming from both the client and the server.
See Wikipedia for more information about the IRC protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
password – The password specified in the message.
See also:
irc_channel_info
,irc_channel_topic
,irc_dcc_message
,irc_error_message
,irc_global_users
,irc_invalid_nick
,irc_invite_message
,irc_join_message
,irc_kick_message
,irc_message
,irc_mode_message
,irc_names_info
,irc_network_info
,irc_nick_message
,irc_notice_message
,irc_oper_message
,irc_oper_response
,irc_part_message
,irc_dcc_send_ack
- irc_starttls
- Type:
event
(c:connection
)
Generated if an IRC connection switched to TLS using STARTTLS. After this event no more IRC events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.
- Parameters:
c – The connection.
Zeek::JavaScript
Experimental JavaScript support for Zeek
Components
Zeek::KRB
Kerberos analyzer
Components
Options/Constants
- KRB::keytab
-
Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
Types
- KRB::Error_Msg
- Type:
-
- pvno:
count
&optional
Protocol version number (5 for KRB5)
- msg_type:
count
&optional
The message type (30 for ERROR_MSG)
- client_time:
time
&optional
Current time on the client
- server_time:
time
&optional
Current time on the server
- error_code:
count
The specific error code
- client_realm:
string
&optional
Realm of the ticket
- client_name:
string
&optional
Name on the ticket
- service_realm:
string
&optional
Realm of the service
- service_name:
string
&optional
Name of the service
- error_text:
string
&optional
Additional text to explain the error
- pa_data:
vector
ofKRB::Type_Value
&optional
Optional pre-authentication data
- pvno:
The data from the ERROR_MSG message. See RFC 4120.
- KRB::SAFE_Msg
- Type:
-
- pvno:
count
Protocol version number (5 for KRB5)
- msg_type:
count
The message type (20 for SAFE_MSG)
- data:
string
The application-specific data that is being passed from the sender to the receiver
- timestamp:
time
&optional
Current time from the sender of the message
- seq:
count
&optional
Sequence number used to detect replays
- sender:
KRB::Host_Address
&optional
Sender address
- recipient:
KRB::Host_Address
&optional
Recipient address
- pvno:
The data from the SAFE message. See RFC 4120.
- KRB::KDC_Options
- Type:
-
- forwardable:
bool
The ticket to be issued should have its forwardable flag set.
- forwarded:
bool
A (TGT) request for forwarding.
- proxiable:
bool
The ticket to be issued should have its proxiable flag set.
- proxy:
bool
A request for a proxy.
- allow_postdate:
bool
The ticket to be issued should have its may-postdate flag set.
- postdated:
bool
A request for a postdated ticket.
- renewable:
bool
The ticket to be issued should have its renewable flag set.
- opt_hardware_auth:
bool
Reserved for opt_hardware_auth
- disable_transited_check:
bool
Request that the KDC not check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT.
- renewable_ok:
bool
If a ticket with the requested lifetime cannot be issued, a renewable ticket is acceptable
- enc_tkt_in_skey:
bool
The ticket for the end server is to be encrypted in the session key from the additional TGT provided
- renew:
bool
The request is for a renewal
- validate:
bool
The request is to validate a postdated ticket.
- forwardable:
KDC Options. See RFC 4120
- KRB::AP_Options
- Type:
AP Options. See RFC 4120
- KRB::Type_Value
-
Used in a few places in the Kerberos analyzer for elements that have a type and a string value.
- KRB::Ticket
- Type:
A Kerberos ticket. See RFC 4120.
- KRB::Ticket_Vector
- Type:
- KRB::Host_Address
- Type:
A Kerberos host address See RFC 4120.
- KRB::KDC_Request
- Type:
-
- pvno:
count
Protocol version number (5 for KRB5)
- msg_type:
count
The message type (10 for AS_REQ, 12 for TGS_REQ)
- pa_data:
vector
ofKRB::Type_Value
&optional
Optional pre-authentication data
- kdc_options:
KRB::KDC_Options
&optional
Options specified in the request
- client_name:
string
&optional
Name on the ticket
- service_realm:
string
&optional
Realm of the service
- service_name:
string
&optional
Name of the service
- from:
time
&optional
Time the ticket is good from
- till:
time
&optional
Time the ticket is good till
- rtime:
time
&optional
The requested renew-till time
- nonce:
count
&optional
A random nonce generated by the client
- encryption_types:
vector
ofcount
&optional
The desired encryption algorithms, in order of preference
- host_addrs:
vector
ofKRB::Host_Address
&optional
Any additional addresses the ticket should be valid for
- additional_tickets:
vector
ofKRB::Ticket
&optional
Additional tickets may be included for certain transactions
- pvno:
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
- KRB::KDC_Response
- Type:
-
- pvno:
count
Protocol version number (5 for KRB5)
- msg_type:
count
The message type (11 for AS_REP, 13 for TGS_REP)
- pa_data:
vector
ofKRB::Type_Value
&optional
Optional pre-authentication data
- client_realm:
string
&optional
Realm on the ticket
- client_name:
string
Name on the service
- ticket:
KRB::Ticket
The ticket that was issued
- enc_part:
KRB::Encrypted_Data
The encrypted session key for the client
- pvno:
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
Events
- krb_as_request
- Type:
event
(c:connection
, msg:KRB::KDC_Request
)
A Kerberos 5
Authentication Server (AS) Request
as defined in RFC 4120. The AS request contains a username of the client requesting authentication, and returns an AS reply with an encrypted Ticket Granting Ticket (TGT) for that user. The TGT can then be used to request further tickets for other services.See Wikipedia for more information about the Kerberos protocol.
- Parameters:
c – The connection over which this Kerberos message was sent.
msg – A Kerberos KDC request message data structure.
See also:
krb_as_response
,krb_tgs_request
,krb_tgs_response
,krb_ap_request
,krb_ap_response
,krb_priv
,krb_safe
,krb_cred
,krb_error
- krb_as_response
- Type:
event
(c:connection
, msg:KRB::KDC_Response
)
A Kerberos 5
Authentication Server (AS) Response
as defined in RFC 4120. Following the AS request for a user, an AS reply contains an encrypted Ticket Granting Ticket (TGT) for that user. The TGT can then be used to request further tickets for other services.See Wikipedia for more information about the Kerberos protocol.
- Parameters:
c – The connection over which this Kerberos message was sent.
msg – A Kerberos KDC reply message data structure.
See also:
krb_as_request
,krb_tgs_request
,krb_tgs_response
,krb_ap_request
,krb_ap_response
,krb_priv
,krb_safe
,krb_cred
,krb_error
- krb_tgs_request
- Type:
event
(c:connection
, msg:KRB::KDC_Request
)
A Kerberos 5
Ticket Granting Service (TGS) Request
as defined in RFC 4120. Following the Authentication Server exchange, if successful, the client now has a Ticket Granting Ticket (TGT). To authenticate to a Kerberized service, the client requests a Service Ticket, which will be returned in the TGS reply.See Wikipedia for more information about the Kerberos protocol.
- Parameters:
c – The connection over which this Kerberos message was sent.
msg – A Kerberos KDC request message data structure.
See also:
krb_as_request
,krb_as_response
,krb_tgs_response
,krb_ap_request
,krb_ap_response
,krb_priv
,krb_safe
,krb_cred
,krb_error
- krb_tgs_response
- Type:
event
(c:connection
, msg:KRB::KDC_Response
)
A Kerberos 5
Ticket Granting Service (TGS) Response
as defined in RFC 4120. This message returns a Service Ticket to the client, which is encrypted with the service’s long-term key, and which the client can use to authenticate to that service.See Wikipedia for more information about the Kerberos protocol.
- Parameters:
c – The connection over which this Kerberos message was sent.
msg – A Kerberos KDC reply message data structure.
See also:
krb_as_request
,krb_as_response
,krb_tgs_request
,krb_ap_request
,krb_ap_response
,krb_priv
,krb_safe
,krb_cred
,krb_error
- krb_ap_request
- Type:
event
(c:connection
, ticket:KRB::Ticket
, opts:KRB::AP_Options
)
A Kerberos 5
Authentication Header (AP) Request
as defined in RFC 4120. This message contains authentication information that should be part of the first message in an authenticated transaction.See Wikipedia for more information about the Kerberos protocol.
- Parameters:
c – The connection over which this Kerberos message was sent.
ticket – The Kerberos ticket being used for authentication.
opts – A Kerberos AP options data structure.
See also:
krb_as_request
,krb_as_response
,krb_tgs_request
,krb_tgs_response
,krb_ap_response
,krb_priv
,krb_safe
,krb_cred
,krb_error
- krb_ap_response
- Type:
event
(c:connection
)
A Kerberos 5
Authentication Header (AP) Response
as defined in RFC 4120. This is used if mutual authentication is desired. All of the interesting information in here is encrypted, so the event doesn’t have much useful data, but it’s provided in case it’s important to know that this message was sent.See Wikipedia for more information about the Kerberos protocol.
- Parameters:
c – The connection over which this Kerberos message was sent.
See also:
krb_as_request
,krb_as_response
,krb_tgs_request
,krb_tgs_response
,krb_ap_request
,krb_priv
,krb_safe
,krb_cred
,krb_error
- krb_priv
- Type:
event
(c:connection
, is_orig:bool
)
A Kerberos 5
Private Message
as defined in RFC 4120. This is a private (encrypted) application message, so the event doesn’t have much useful data, but it’s provided in case it’s important to know that this message was sent.See Wikipedia for more information about the Kerberos protocol.
- Parameters:
c – The connection over which this Kerberos message was sent.
is_orig – Whether the originator of the connection sent this message.
See also:
krb_as_request
,krb_as_response
,krb_tgs_request
,krb_tgs_response
,krb_ap_request
,krb_ap_response
,krb_safe
,krb_cred
,krb_error
- krb_safe
- Type:
event
(c:connection
, is_orig:bool
, msg:KRB::SAFE_Msg
)
A Kerberos 5
Safe Message
as defined in RFC 4120. This is a safe (checksummed) application message.See Wikipedia for more information about the Kerberos protocol.
- Parameters:
c – The connection over which this Kerberos message was sent.
is_orig – Whether the originator of the connection sent this message.
msg – A Kerberos SAFE message data structure.
See also:
krb_as_request
,krb_as_response
,krb_tgs_request
,krb_tgs_response
,krb_ap_request
,krb_ap_response
,krb_priv
,krb_cred
,krb_error
- krb_cred
- Type:
event
(c:connection
, is_orig:bool
, tickets:KRB::Ticket_Vector
)
A Kerberos 5
Credential Message
as defined in RFC 4120. This is a private (encrypted) message to forward credentials.See Wikipedia for more information about the Kerberos protocol.
- Parameters:
c – The connection over which this Kerberos message was sent.
is_orig – Whether the originator of the connection sent this message.
tickets – Tickets obtained from the KDC that are being forwarded.
See also:
krb_as_request
,krb_as_response
,krb_tgs_request
,krb_tgs_response
,krb_ap_request
,krb_ap_response
,krb_priv
,krb_safe
,krb_error
- krb_error
- Type:
event
(c:connection
, msg:KRB::Error_Msg
)
A Kerberos 5
Error Message
as defined in RFC 4120.See Wikipedia for more information about the Kerberos protocol.
- Parameters:
c – The connection over which this Kerberos message was sent.
msg – A Kerberos error message data structure.
See also:
krb_as_request
,krb_as_response
,krb_tgs_request
,krb_tgs_response
,krb_ap_request
,krb_ap_response
,krb_priv
,krb_safe
,krb_cred
Zeek::LDAP
LDAP analyzer
Components
Types
- LDAP::ProtocolOpcode
- Type:
-
- LDAP::ProtocolOpcode_BIND_REQUEST
- LDAP::ProtocolOpcode_BIND_RESPONSE
- LDAP::ProtocolOpcode_UNBIND_REQUEST
- LDAP::ProtocolOpcode_SEARCH_REQUEST
- LDAP::ProtocolOpcode_SEARCH_RESULT_ENTRY
- LDAP::ProtocolOpcode_SEARCH_RESULT_DONE
- LDAP::ProtocolOpcode_MODIFY_REQUEST
- LDAP::ProtocolOpcode_MODIFY_RESPONSE
- LDAP::ProtocolOpcode_ADD_REQUEST
- LDAP::ProtocolOpcode_ADD_RESPONSE
- LDAP::ProtocolOpcode_DEL_REQUEST
- LDAP::ProtocolOpcode_DEL_RESPONSE
- LDAP::ProtocolOpcode_MOD_DN_REQUEST
- LDAP::ProtocolOpcode_MOD_DN_RESPONSE
- LDAP::ProtocolOpcode_COMPARE_REQUEST
- LDAP::ProtocolOpcode_COMPARE_RESPONSE
- LDAP::ProtocolOpcode_ABANDON_REQUEST
- LDAP::ProtocolOpcode_SEARCH_RESULT_REFERENCE
- LDAP::ProtocolOpcode_EXTENDED_REQUEST
- LDAP::ProtocolOpcode_EXTENDED_RESPONSE
- LDAP::ProtocolOpcode_INTERMEDIATE_RESPONSE
- LDAP::ProtocolOpcode_Undef
- LDAP::ResultCode
- Type:
-
- LDAP::ResultCode_SUCCESS
- LDAP::ResultCode_OPERATIONS_ERROR
- LDAP::ResultCode_PROTOCOL_ERROR
- LDAP::ResultCode_TIME_LIMIT_EXCEEDED
- LDAP::ResultCode_SIZE_LIMIT_EXCEEDED
- LDAP::ResultCode_COMPARE_FALSE
- LDAP::ResultCode_COMPARE_TRUE
- LDAP::ResultCode_AUTH_METHOD_NOT_SUPPORTED
- LDAP::ResultCode_STRONGER_AUTH_REQUIRED
- LDAP::ResultCode_PARTIAL_RESULTS
- LDAP::ResultCode_REFERRAL
- LDAP::ResultCode_ADMIN_LIMIT_EXCEEDED
- LDAP::ResultCode_UNAVAILABLE_CRITICAL_EXTENSION
- LDAP::ResultCode_CONFIDENTIALITY_REQUIRED
- LDAP::ResultCode_SASL_BIND_IN_PROGRESS
- LDAP::ResultCode_NO_SUCH_ATTRIBUTE
- LDAP::ResultCode_UNDEFINED_ATTRIBUTE_TYPE
- LDAP::ResultCode_INAPPROPRIATE_MATCHING
- LDAP::ResultCode_CONSTRAINT_VIOLATION
- LDAP::ResultCode_ATTRIBUTE_OR_VALUE_EXISTS
- LDAP::ResultCode_INVALID_ATTRIBUTE_SYNTAX
- LDAP::ResultCode_NO_SUCH_OBJECT
- LDAP::ResultCode_ALIAS_PROBLEM
- LDAP::ResultCode_INVALID_DNSYNTAX
- LDAP::ResultCode_ALIAS_DEREFERENCING_PROBLEM
- LDAP::ResultCode_INAPPROPRIATE_AUTHENTICATION
- LDAP::ResultCode_INVALID_CREDENTIALS
- LDAP::ResultCode_INSUFFICIENT_ACCESS_RIGHTS
- LDAP::ResultCode_BUSY
- LDAP::ResultCode_UNAVAILABLE
- LDAP::ResultCode_UNWILLING_TO_PERFORM
- LDAP::ResultCode_LOOP_DETECT
- LDAP::ResultCode_SORT_CONTROL_MISSING
- LDAP::ResultCode_OFFSET_RANGE_ERROR
- LDAP::ResultCode_NAMING_VIOLATION
- LDAP::ResultCode_OBJECT_CLASS_VIOLATION
- LDAP::ResultCode_NOT_ALLOWED_ON_NON_LEAF
- LDAP::ResultCode_NOT_ALLOWED_ON_RDN
- LDAP::ResultCode_ENTRY_ALREADY_EXISTS
- LDAP::ResultCode_OBJECT_CLASS_MODS_PROHIBITED
- LDAP::ResultCode_RESULTS_TOO_LARGE
- LDAP::ResultCode_AFFECTS_MULTIPLE_DSAS
- LDAP::ResultCode_CONTROL_ERROR
- LDAP::ResultCode_OTHER
- LDAP::ResultCode_SERVER_DOWN
- LDAP::ResultCode_LOCAL_ERROR
- LDAP::ResultCode_ENCODING_ERROR
- LDAP::ResultCode_DECODING_ERROR
- LDAP::ResultCode_TIMEOUT
- LDAP::ResultCode_AUTH_UNKNOWN
- LDAP::ResultCode_FILTER_ERROR
- LDAP::ResultCode_USER_CANCELED
- LDAP::ResultCode_PARAM_ERROR
- LDAP::ResultCode_NO_MEMORY
- LDAP::ResultCode_CONNECT_ERROR
- LDAP::ResultCode_NOT_SUPPORTED
- LDAP::ResultCode_CONTROL_NOT_FOUND
- LDAP::ResultCode_NO_RESULTS_RETURNED
- LDAP::ResultCode_MORE_RESULTS_TO_RETURN
- LDAP::ResultCode_CLIENT_LOOP
- LDAP::ResultCode_REFERRAL_LIMIT_EXCEEDED
- LDAP::ResultCode_INVALID_RESPONSE
- LDAP::ResultCode_AMBIGUOUS_RESPONSE
- LDAP::ResultCode_TLS_NOT_SUPPORTED
- LDAP::ResultCode_INTERMEDIATE_RESPONSE
- LDAP::ResultCode_UNKNOWN_TYPE
- LDAP::ResultCode_LCUP_INVALID_DATA
- LDAP::ResultCode_LCUP_UNSUPPORTED_SCHEME
- LDAP::ResultCode_LCUP_RELOAD_REQUIRED
- LDAP::ResultCode_CANCELED
- LDAP::ResultCode_NO_SUCH_OPERATION
- LDAP::ResultCode_TOO_LATE
- LDAP::ResultCode_CANNOT_CANCEL
- LDAP::ResultCode_ASSERTION_FAILED
- LDAP::ResultCode_AUTHORIZATION_DENIED
- LDAP::ResultCode_Undef
- LDAP::BindAuthType
- LDAP::SearchScope
- LDAP::SearchDerefAlias
- ASN1::ASN1Type
- Type:
-
- ASN1::ASN1Type_Boolean
- ASN1::ASN1Type_Integer
- ASN1::ASN1Type_BitString
- ASN1::ASN1Type_OctetString
- ASN1::ASN1Type_NullVal
- ASN1::ASN1Type_ObjectIdentifier
- ASN1::ASN1Type_ObjectDescriptor
- ASN1::ASN1Type_InstanceOf
- ASN1::ASN1Type_Real
- ASN1::ASN1Type_Enumerated
- ASN1::ASN1Type_EmbeddedPDV
- ASN1::ASN1Type_UTF8String
- ASN1::ASN1Type_RelativeOID
- ASN1::ASN1Type_Sequence
- ASN1::ASN1Type_Set
- ASN1::ASN1Type_NumericString
- ASN1::ASN1Type_PrintableString
- ASN1::ASN1Type_TeletextString
- ASN1::ASN1Type_VideotextString
- ASN1::ASN1Type_IA5String
- ASN1::ASN1Type_UTCTime
- ASN1::ASN1Type_GeneralizedTime
- ASN1::ASN1Type_GraphicString
- ASN1::ASN1Type_VisibleString
- ASN1::ASN1Type_GeneralString
- ASN1::ASN1Type_UniversalString
- ASN1::ASN1Type_CharacterString
- ASN1::ASN1Type_BMPString
- ASN1::ASN1Type_Undef
Events
- LDAP::message
- Type:
event
(c:connection
, message_id:int
, opcode:LDAP::ProtocolOpcode
, result:LDAP::ResultCode
, matched_dn:string
, diagnostic_message:string
, object:string
, argument:string
)
Event generated for each LDAPMessage (either direction).
- Parameters:
c – The connection.
message_id – The messageID element.
opcode – The protocolOp field in the message.
result – The result code if the message contains a result.
matched_dn – The DN if the message contains a result.
diagnostic_message – Diagnostic message if the LDAP message contains a result.
object – The object name this message refers to.
argument – Additional arguments this message includes.
- LDAP::bind_request
- Type:
event
(c:connection
, message_id:int
, version:int
, name:string
, auth_type:LDAP::BindAuthType
, auth_info:string
)
Event generated for each LDAPMessage containing a BindRequest.
- Parameters:
c – The connection.
message_id – The messageID element.
version – The version field in the BindRequest.
name – The name field in the BindRequest.
auth_type – The auth type field in the BindRequest.
auth_info – Additional information related to the used auth type.
- LDAP::search_request
- Type:
event
(c:connection
, message_id:int
, base_object:string
, scope:LDAP::SearchScope
, deref:LDAP::SearchDerefAlias
, size_limit:int
, time_limit:int
, types_only:bool
, filter:string
, attributes:vector
ofstring
)
Event generated for each LDAPMessage containing a SearchRequest.
- Parameters:
c – The connection.
message_id – The messageID element.
base_object – The baseObject field in the SearchRequest.
scope – The scope field in the SearchRequest.
deref_alias – The derefAlias field in the SearchRequest
size_limit – The sizeLimit field in the SearchRequest.
time_limit – The timeLimit field in the SearchRequest.
types_only – The typesOnly field in the SearchRequest.
filter – The string representation of the filter field in the SearchRequest.
attributes – Additional attributes of the SearchRequest.
- LDAP::search_result_entry
- Type:
event
(c:connection
, message_id:int
, object_name:string
)
Event generated for each SearchResultEntry in LDAP messages.
- Parameters:
c – The connection.
message_id – The messageID element.
object_name – The object name in the SearchResultEntry.
- LDAP::extended_request
- Type:
event
(c:connection
, message_id:int
, request_name:string
, request_value:string
)
Event generated for each ExtendedRequest in LDAP messages.
- Parameters:
c – The connection.
message_id – The messageID element.
request_name – The name of the extended request.
request_value – The value of the extended request (empty if missing).
- LDAP::extended_response
- Type:
event
(c:connection
, message_id:int
, result:LDAP::ResultCode
, response_name:string
, response_value:string
)
Event generated for each ExtendedResponse in LDAP messages.
- Parameters:
c – The connection.
message_id – The messageID element.
result – The result code of the response.
response_name – The name of the extended response (empty if missing).
response_value – The value of the extended response (empty if missing).
- LDAP::starttls
- Type:
event
(c:connection
)
Event generated when a plaintext LDAP connection switched to TLS.
- Parameters:
c – The connection.
Zeek::Login
Telnet/Rsh/Rlogin analyzers
Components
Analyzer::ANALYZER_CONTENTS_RLOGIN
Events
- rsh_request
- Type:
event
(c:connection
, client_user:string
, server_user:string
, line:string
, new_session:bool
)
Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
- Parameters:
c – The connection.
client_user – The client-side user name as sent in the initial protocol handshake.
server_user – The server-side user name as sent in the initial protocol handshake.
line – The command line sent in the request.
new_session – True if this is the first command of the Rsh session.
See also:
rsh_reply
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
Note
For historical reasons, these events are separate from the
login_
events. Ideally, they would all be handled uniquely.Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- rsh_reply
- Type:
event
(c:connection
, client_user:string
, server_user:string
, line:string
)
Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
- Parameters:
c – The connection.
client_user – The client-side user name as sent in the initial protocol handshake.
server_user – The server-side user name as sent in the initial protocol handshake.
line – The command line sent in the request.
See also:
rsh_request
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
Note
For historical reasons, these events are separate from the
login_
events. Ideally, they would all be handled uniquely.Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- login_failure
-
Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.
- Parameters:
c – The connection.
user – The user name tried.
client_user – For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).
password – The password tried.
line – The line of text that led the analyzer to conclude that the authentication had failed.
See also:
login_confused
,login_confused_text
,login_display
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
,direct_login_prompts
,get_login_state
,login_failure_msgs
,login_non_failure_msgs
,login_prompts
,login_success_msgs
,login_timeouts
,set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.
Todo
Zeeks’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_success
-
Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.
- Parameters:
c – The connection.
user – The user name used.
client_user – For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).
password – The password used.
line – The line of text that led the analyzer to conclude that the authentication had succeeded.
See also:
login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_terminal
,direct_login_prompts
,get_login_state
,login_failure_msgs
,login_non_failure_msgs
,login_prompts
,login_success_msgs
,login_timeouts
,set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_input_line
- Type:
event
(c:connection
, line:string
)
Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
- Parameters:
c – The connection.
line – The input line.
See also:
login_confused
,login_confused_text
,login_display
,login_failure
,login_output_line
,login_prompt
,login_success
,login_terminal
,rsh_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_output_line
- Type:
event
(c:connection
, line:string
)
Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
- Parameters:
c – The connection.
line – The output line.
See also:
login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_prompt
,login_success
,login_terminal
,rsh_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_confused
- Type:
event
(c:connection
, msg:string
, line:string
)
Generated when tracking of Telnet/Rlogin authentication failed. As Zeek’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.
- Parameters:
c – The connection.
msg – Gives the particular problem the heuristics detected (for example,
multiple_login_prompts
means that the engine saw several login prompts in a row, without the type-ahead from the client side presumed necessary to cause them)line – The line of text that caused the heuristics to conclude they were confused.
See also:
login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
,direct_login_prompts
,get_login_state
,login_failure_msgs
,login_non_failure_msgs
,login_prompts
,login_success_msgs
,login_timeouts
,set_login_state
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_confused_text
- Type:
event
(c:connection
, line:string
)
Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. The login analyzer generates this even for every line of user input after it has reported
login_confused
for a connection.- Parameters:
c – The connection.
line – The line the user typed.
See also:
login_confused
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
,direct_login_prompts
,get_login_state
,login_failure_msgs
,login_non_failure_msgs
,login_prompts
,login_success_msgs
,login_timeouts
,set_login_state
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_terminal
- Type:
event
(c:connection
, terminal:string
)
Generated for clients transmitting a terminal type in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
- Parameters:
c – The connection.
terminal – The TERM value transmitted.
See also:
login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_display
- Type:
event
(c:connection
, display:string
)
Generated for clients transmitting an X11 DISPLAY in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
- Parameters:
c – The connection.
display – The DISPLAY transmitted.
See also:
login_confused
,login_confused_text
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- authentication_accepted
- Type:
event
(name:string
, c:connection
)
Generated when a Telnet authentication has been successful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it accepts the authentication, then the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
- Parameters:
name – The authenticated name.
c – The connection.
See also:
authentication_rejected
,authentication_skipped
,login_success
Note
This event inspects the corresponding Telnet option while
login_success
heuristically determines success by watching session data.Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- authentication_rejected
- Type:
event
(name:string
, c:connection
)
Generated when a Telnet authentication has been unsuccessful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it did not accept the authentication, then the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
- Parameters:
name – The attempted authentication name.
c – The connection.
See also:
authentication_accepted
,authentication_skipped
,login_failure
Note
This event inspects the corresponding Telnet option while
login_success
heuristically determines failure by watching session data.Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- authentication_skipped
- Type:
event
(c:connection
)
Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.
See Wikipedia for more information about the Telnet protocol.
- Parameters:
c – The connection.
See also:
authentication_accepted
,authentication_rejected
,direct_login_prompts
,get_login_state
,login_failure_msgs
,login_non_failure_msgs
,login_prompts
,login_success_msgs
,login_timeouts
,set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying activity. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_prompt
- Type:
event
(c:connection
, prompt:string
)
Generated for clients transmitting a terminal prompt in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
See Wikipedia for more information about the Telnet protocol.
- Parameters:
c – The connection.
prompt – The TTYPROMPT transmitted.
See also:
login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_success
,login_terminal
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- activating_encryption
- Type:
event
(c:connection
)
Generated for Telnet sessions when encryption is activated. The Telnet protocol includes options for negotiating encryption. When such a series of options is successfully negotiated, the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
- Parameters:
c – The connection.
See also:
authentication_accepted
,authentication_rejected
,authentication_skipped
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
- inconsistent_option
- Type:
event
(c:connection
)
Generated for an inconsistent Telnet option. Telnet options are specified by the client and server stating which options they are willing to support vs. which they are not, and then instructing one another which in fact they should or should not use for the current connection. If the event engine sees a peer violate either what the other peer has instructed it to do, or what it itself offered in terms of options in the past, then the engine generates this event.
See Wikipedia for more information about the Telnet protocol.
- Parameters:
c – The connection.
See also:
bad_option
,bad_option_termination
,authentication_accepted
,authentication_rejected
,authentication_skipped
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
- bad_option
- Type:
event
(c:connection
)
Generated for an ill-formed or unrecognized Telnet option.
See Wikipedia for more information about the Telnet protocol.
- Parameters:
c – The connection.
See also:
inconsistent_option
,bad_option_termination
,authentication_accepted
,authentication_rejected
,authentication_skipped
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- bad_option_termination
- Type:
event
(c:connection
)
Generated for a Telnet option that’s incorrectly terminated.
See Wikipedia for more information about the Telnet protocol.
- Parameters:
c – The connection.
See also:
inconsistent_option
,bad_option
,authentication_accepted
,authentication_rejected
,authentication_skipped
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
Functions
- get_login_state
-
Returns the state of the given login (Telnet or Rlogin) connection.
- Parameters:
cid – The connection ID.
- Returns:
False if the connection is not active or is not tagged as a login analyzer. Otherwise the function returns the state, which can be one of:
LOGIN_STATE_AUTHENTICATE
: The connection is in its initial authentication dialog.LOGIN_STATE_LOGGED_IN
: The analyzer believes the user has successfully authenticated.LOGIN_STATE_SKIP
: The analyzer has skipped any further processing of the connection.LOGIN_STATE_CONFUSED
: The analyzer has concluded that it does not correctly know the state of the connection, and/or the username associated with it.
See also:
set_login_state
- set_login_state
-
Sets the login state of a connection with a login analyzer.
- Parameters:
cid – The connection ID.
new_state – The new state of the login analyzer. See
get_login_state
for possible values.
- Returns:
Returns false if cid is not an active connection or is not tagged as a login analyzer, and true otherwise.
See also:
get_login_state
Zeek::MIME
MIME parsing
Components
Options/Constants
- MIME::max_depth
-
Stop analysis of nested multipart MIME entities if this depth is reached. Setting this value to 0 removes the limit.
Events
- mime_begin_entity
- Type:
event
(c:connection
)
Generated when starting to parse an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Zeek raises this event when it begins parsing a MIME entity extracted from an email protocol.
Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
- Parameters:
c – The connection.
See also:
mime_all_data
,mime_all_headers
,mime_content_hash
,mime_end_entity
,mime_entity_data
,mime_event
,mime_one_header
,mime_segment_data
,smtp_data
,http_begin_entity
Note
Zeek also extracts MIME entities from HTTP sessions. For those, however, it raises
http_begin_entity
instead.
- mime_end_entity
- Type:
event
(c:connection
)
Generated when finishing parsing an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Zeek raises this event when it finished parsing a MIME entity extracted from an email protocol.
Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
- Parameters:
c – The connection.
See also:
mime_all_data
,mime_all_headers
,mime_begin_entity
,mime_content_hash
,mime_entity_data
,mime_event
,mime_one_header
,mime_segment_data
,smtp_data
,http_end_entity
Note
Zeek also extracts MIME entities from HTTP sessions. For those, however, it raises
http_end_entity
instead.
- mime_one_header
- Type:
event
(c:connection
, h:mime_header_rec
)
Generated for individual MIME headers extracted from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.
Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
- Parameters:
c – The connection.
h – The parsed MIME header.
See also:
mime_all_data
,mime_all_headers
,mime_begin_entity
,mime_content_hash
,mime_end_entity
,mime_entity_data
,mime_event
,mime_segment_data
,http_header
,http_all_headers
Note
Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises
http_header
instead.
- mime_all_headers
- Type:
event
(c:connection
, hlist:mime_header_list
)
Generated for MIME headers extracted from email MIME entities, passing all headers at once. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.
Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
- Parameters:
c – The connection.
hlist – A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).
See also:
mime_all_data
,mime_begin_entity
,mime_content_hash
,mime_end_entity
,mime_entity_data
,mime_event
,mime_one_header
,mime_segment_data
,http_header
,http_all_headers
Note
Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises
http_header
instead.
- mime_segment_data
- Type:
event
(c:connection
, length:count
, data:string
)
Generated for chunks of decoded MIME data from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. As Zeek parses the data of an entity, it raises a sequence of these events, each coming as soon as a new chunk of data is available. In contrast, there is also
mime_entity_data
, which passes all of an entities data at once in a single block. While the latter is more convenient to handle,mime_segment_data
is more efficient as Zeek does not need to buffer the data. Thus, if possible, this event should be preferred.Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
- Parameters:
c – The connection.
length – The length of data.
data – The raw data of one segment of the current entity.
See also:
mime_all_data
,mime_all_headers
,mime_begin_entity
,mime_content_hash
,mime_end_entity
,mime_entity_data
,mime_event
,mime_one_header
,http_entity_data
,mime_segment_length
,mime_segment_overlap_length
Note
Zeek also extracts MIME data from HTTP sessions. For those, however, it raises
http_entity_data
(sic!) instead.
- mime_entity_data
- Type:
event
(c:connection
, length:count
, data:string
)
Generated for data decoded from an email MIME entity. This event delivers the complete content of a single MIME entity with the quoted-printable and and base64 data decoded. In contrast, there is also
mime_segment_data
, which passes on a sequence of data chunks as they come in. Whilemime_entity_data
is more convenient to handle,mime_segment_data
is more efficient as Zeek does not need to buffer the data. Thus, if possible, the latter should be preferred.Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
- Parameters:
c – The connection.
length – The length of data.
data – The raw data of the complete entity.
See also:
mime_all_data
,mime_all_headers
,mime_begin_entity
,mime_content_hash
,mime_end_entity
,mime_event
,mime_one_header
,mime_segment_data
Note
While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.
- mime_all_data
- Type:
event
(c:connection
, length:count
, data:string
)
Generated for passing on all data decoded from a single email MIME message. If an email message has more than one MIME entity, this event combines all their data into a single value for analysis. Note that because of the potentially significant buffering necessary, using this event can be expensive.
Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
- Parameters:
c – The connection.
length – The length of data.
data – The raw data of all MIME entities concatenated.
See also:
mime_all_headers
,mime_begin_entity
,mime_content_hash
,mime_end_entity
,mime_entity_data
,mime_event
,mime_one_header
,mime_segment_data
Note
While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.
- mime_event
- Type:
event
(c:connection
, event_type:string
, detail:string
)
Generated for errors found when decoding email MIME entities.
Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
- Parameters:
c – The connection.
event_type – A string describing the general category of the problem found (e.g.,
illegal format
).detail – Further more detailed description of the error.
See also:
mime_all_data
,mime_all_headers
,mime_begin_entity
,mime_content_hash
,mime_end_entity
,mime_entity_data
,mime_one_header
,mime_segment_data
,http_event
Note
Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises
http_event
instead.
- mime_content_hash
- Type:
event
(c:connection
, content_len:count
, hash_value:string
)
Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums. Zeek computes the MD5 over the complete decoded data of each MIME entity.
Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.
- Parameters:
c – The connection.
content_len – The length of the entity being hashed.
hash_value – The MD5 hash.
See also:
mime_all_data
,mime_all_headers
,mime_begin_entity
,mime_end_entity
,mime_entity_data
,mime_event
,mime_one_header
,mime_segment_data
Note
While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.
Zeek::Modbus
Modbus analyzer
Components
Events
- modbus_message
- Type:
event
(c:connection
, headers:ModbusHeaders
, is_orig:bool
)
Generated for any Modbus message regardless if the particular function is further supported or not.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
is_orig – True if the event is raised for the originator side.
- modbus_exception
- Type:
event
(c:connection
, headers:ModbusHeaders
, code:count
)
Generated for any Modbus exception message.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
code – The exception code.
- modbus_read_coils_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, start_address:count
, quantity:count
)
Generated for a Modbus read coils request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
start_address – The memory address of the first coil to be read.
quantity – The number of coils to be read.
- modbus_read_coils_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, coils:ModbusCoils
)
Generated for a Modbus read coils response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
coils – The coil values returned from the device.
- modbus_read_discrete_inputs_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, start_address:count
, quantity:count
)
Generated for a Modbus read discrete inputs request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
start_address – The memory address of the first coil to be read.
quantity – The number of coils to be read.
- modbus_read_discrete_inputs_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, coils:ModbusCoils
)
Generated for a Modbus read discrete inputs response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
coils – The coil values returned from the device.
- modbus_read_holding_registers_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, start_address:count
, quantity:count
)
Generated for a Modbus read holding registers request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
start_address – The memory address of the first register to be read.
quantity – The number of registers to be read.
- modbus_read_holding_registers_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, registers:ModbusRegisters
)
Generated for a Modbus read holding registers response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
registers – The register values returned from the device.
- modbus_read_input_registers_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, start_address:count
, quantity:count
)
Generated for a Modbus read input registers request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
start_address – The memory address of the first register to be read.
quantity – The number of registers to be read.
- modbus_read_input_registers_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, registers:ModbusRegisters
)
Generated for a Modbus read input registers response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
registers – The register values returned from the device.
- modbus_write_single_coil_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, address:count
, value:bool
)
Generated for a Modbus write single coil request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
address – The memory address of the coil to be written.
value – The value to be written to the coil.
- modbus_write_single_coil_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, address:count
, value:bool
)
Generated for a Modbus write single coil response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
address – The memory address of the coil that was written.
value – The value that was written to the coil.
- modbus_write_single_register_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, address:count
, value:count
)
Generated for a Modbus write single register request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
address – The memory address of the register to be written.
value – The value to be written to the register.
- modbus_write_single_register_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, address:count
, value:count
)
Generated for a Modbus write single register response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
address – The memory address of the register that was written.
value – The value that was written to the register.
- modbus_write_multiple_coils_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, start_address:count
, coils:ModbusCoils
)
Generated for a Modbus write multiple coils request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
start_address – The memory address of the first coil to be written.
coils – The values to be written to the coils.
- modbus_write_multiple_coils_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, start_address:count
, quantity:count
)
Generated for a Modbus write multiple coils response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
start_address – The memory address of the first coil that was written.
quantity – The quantity of coils that were written.
- modbus_write_multiple_registers_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, start_address:count
, registers:ModbusRegisters
)
Generated for a Modbus write multiple registers request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
start_address – The memory address of the first register to be written.
registers – The values to be written to the registers.
- modbus_write_multiple_registers_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, start_address:count
, quantity:count
)
Generated for a Modbus write multiple registers response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
start_address – The memory address of the first register that was written.
quantity – The quantity of registers that were written.
- modbus_read_file_record_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, byte_count:count
, refs:ModbusFileRecordRequests
)
Generated for a Modbus read file record request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
byte_count – The full byte count for all of the reference records that follow.
refs – A vector of reference records.
- modbus_read_file_record_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, byte_count:count
, refs:ModbusFileRecordResponses
)
Generated for a Modbus read file record response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
byte_count – The full byte count for all of the reference records that follow.
refs – A vector of reference records.
- modbus_write_file_record_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, byte_count:count
, refs:ModbusFileReferences
)
Generated for a Modbus write file record request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
byte_count – The full byte count for all of the reference records that follow.
refs – A vector of reference records.
- modbus_write_file_record_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, byte_count:count
, refs:ModbusFileReferences
)
Generated for a Modbus write file record response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
byte_count – The full byte count for all of the reference records that follow.
refs – A vector of reference records.
- modbus_mask_write_register_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, address:count
, and_mask:count
, or_mask:count
)
Generated for a Modbus mask write register request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
address – The memory address of the register where the masks should be applied.
and_mask – The value of the logical AND mask to apply to the register.
or_mask – The value of the logical OR mask to apply to the register.
- modbus_mask_write_register_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, address:count
, and_mask:count
, or_mask:count
)
Generated for a Modbus mask write register request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
address – The memory address of the register where the masks were applied.
and_mask – The value of the logical AND mask applied register.
or_mask – The value of the logical OR mask applied to the register.
- modbus_read_write_multiple_registers_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, read_start_address:count
, read_quantity:count
, write_start_address:count
, write_registers:ModbusRegisters
)
Generated for a Modbus read/write multiple registers request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
read_start_address – The memory address of the first register to be read.
read_quantity – The number of registers to read.
write_start_address – The memory address of the first register to be written.
write_registers – The values to be written to the registers.
- modbus_read_write_multiple_registers_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, written_registers:ModbusRegisters
)
Generated for a Modbus read/write multiple registers response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
written_registers – The register values read from the registers specified in the request.
- modbus_read_fifo_queue_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, start_address:count
)
Generated for a Modbus read FIFO queue request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
start_address – The address of the FIFO queue to read.
- modbus_read_fifo_queue_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, fifos:ModbusRegisters
)
Generated for a Modbus read FIFO queue response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
fifos – The register values read from the FIFO queue on the device.
- modbus_diagnostics_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, subfunction:count
, data:string
)
Generated for a Modbus Diagnostics request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
subfunction – The subfunction for the diagnostics request.
data – The data passed in the diagnostics request.
- modbus_diagnostics_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, subfunction:count
, data:string
)
Generated for a Modbus Diagnostics response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
subfunction – The subfunction for the diagnostics response.
data – The data passed in the diagnostics response.
- modbus_encap_interface_transport_request
- Type:
event
(c:connection
, headers:ModbusHeaders
, mei_type:count
, data:string
)
Generated for a Modbus Encapsulated Interface Transport request.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
mei_type – The MEI type for the request.
data – The MEI type specific data passed in the request.
- modbus_encap_interface_transport_response
- Type:
event
(c:connection
, headers:ModbusHeaders
, mei_type:count
, data:string
)
Generated for a Modbus Encapsulated Interface Transport response.
- Parameters:
c – The connection.
headers – The headers for the modbus function.
mei_type – The MEI type for the response.
data – The MEI type specific data passed in the response.
Zeek::MQTT
Message Queuing Telemetry Transport v3.1.1 Protocol analyzer
Components
Types
- MQTT::ConnectMsg
- Type:
-
- protocol_name:
string
Protocol name
- protocol_version:
count
Protocol version
- client_id:
string
Identifies the Client to the Server.
- keep_alive:
interval
The maximum time interval that is permitted to elapse between the point at which the Client finishes transmitting one Control Packet and the point it starts sending the next.
- clean_session:
bool
The clean_session flag indicates if the server should or shouldn’t use a clean session or use existing previous session state.
- will_retain:
bool
Specifies if the Will Message is to be retained when it is published.
- will_qos:
count
Specifies the QoS level to be used when publishing the Will Message.
- will_topic:
string
&optional
Topic to publish the Will message to.
- will_msg:
string
&optional
The actual Will message to publish.
- username:
string
&optional
Username to use for authentication to the server.
- password:
string
&optional
Pass to use for authentication to the server.
- protocol_name:
- MQTT::PublishMsg
- Type:
-
- dup:
bool
Indicates if this is the first attempt at publishing the message.
- qos:
count
Indicates what level of QoS is enabled for this message.
- retain:
bool
Indicates if the server should retain this message so that clients subscribing to the topic in the future will receive this message automatically.
- topic:
string
Name of the topic the published message is directed into.
- payload:
string
Payload of the published message.
- payload_len:
count
The actual length of the payload in the case the payload field’s contents were truncated according to
MQTT::max_payload_size
.
- dup:
Events
- mqtt_connect
- Type:
event
(c:connection
, msg:MQTT::ConnectMsg
)
Generated for MQTT “client requests a connection” messages
- Parameters:
c – The connection
msg – MQTT connect message fields.
- mqtt_connack
- Type:
event
(c:connection
, msg:MQTT::ConnectAckMsg
)
Generated for MQTT acknowledge connection messages
- Parameters:
c – The connection
msg – MQTT connect ack message fields.
- mqtt_publish
- Type:
event
(c:connection
, is_orig:bool
, msg_id:count
, msg:MQTT::PublishMsg
)
Generated for MQTT publish messages
- Parameters:
c – The connection
is_orig – Direction in which the message was sent
msg – The MQTT publish message record.
- mqtt_puback
- Type:
event
(c:connection
, is_orig:bool
, msg_id:count
)
Generated for MQTT publish acknowledgement messages
- Parameters:
c – The connection
is_orig – Direction in which the message was sent
msg_id – The id value for the message.
- mqtt_pubrec
- Type:
event
(c:connection
, is_orig:bool
, msg_id:count
)
Generated for MQTT publish received messages (QoS 2 publish received, part 1)
- Parameters:
c – The connection
is_orig – Direction in which the message was sent
msg_id – The id value for the message.
- mqtt_pubrel
- Type:
event
(c:connection
, is_orig:bool
, msg_id:count
)
Generated for MQTT publish release messages (QoS 2 publish received, part 2)
- Parameters:
c – The connection
is_orig – Direction in which the message was sent
msg_id – The id value for the message.
- mqtt_pubcomp
- Type:
event
(c:connection
, is_orig:bool
, msg_id:count
)
Generated for MQTT publish complete messages (QoS 2 publish received, part 3)
- Parameters:
c – The connection
is_orig – Direction in which the message was sent
msg_id – The id value for the message.
- mqtt_subscribe
- Type:
event
(c:connection
, msg_id:count
, topics:string_vec
, requested_qos:index_vec
)
Generated for MQTT subscribe messages
- Parameters:
c – The connection
is_orig – Direction in which the message was sent
msg_id – The id value for the message.
topics – The topics being subscribed to
requested_qos – The desired QoS option associated with each topic.
- mqtt_suback
- Type:
event
(c:connection
, msg_id:count
, granted_qos:count
)
Generated for MQTT subscribe messages
- Parameters:
c – The connection
is_orig – Direction in which the message was sent
msg_id – The id value for the message.
- mqtt_unsubscribe
- Type:
event
(c:connection
, msg_id:count
, topics:string_vec
)
Generated for MQTT unsubscribe messages sent by the client
- Parameters:
c – The connection
msg_id – The id value for the message.
topics – The topics being unsubscribed from
- mqtt_unsuback
- Type:
event
(c:connection
, msg_id:count
)
Generated for MQTT unsubscribe acknowledgements sent by the server
- Parameters:
c – The connection
msg_id – The id value for the message.
- mqtt_pingreq
- Type:
event
(c:connection
)
Generated for MQTT ping requests sent by the client.
- Parameters:
c – The connection
- mqtt_pingresp
- Type:
event
(c:connection
)
Generated for MQTT ping responses sent by the server.
- Parameters:
c – The connection
- mqtt_disconnect
- Type:
event
(c:connection
)
Generated for MQTT disconnect messages sent by the client when it is disconnecting cleanly.
- Parameters:
c – The connection
Zeek::MySQL
MySQL analyzer
Components
Events
- mysql_command_request
- Type:
event
(c:connection
, command:count
, arg:string
)
Generated for a command request from a MySQL client.
See the MySQL documentation for more information about the MySQL protocol.
- Parameters:
c – The connection.
command – The numerical code of the command issued.
arg – The argument for the command (empty string if not provided).
See also:
mysql_error
,mysql_ok
,mysql_server_version
,mysql_handshake
- mysql_change_user
- Type:
event
(c:connection
, username:string
)
Generated for a change user command from a MySQL client.
See the MySQL documentation for more information about the MySQL protocol.
- Parameters:
c – The connection.
username – The username supplied by the client
See also:
mysql_error
,mysql_ok
,mysql_server_version
,mysql_handshake
- mysql_error
- Type:
event
(c:connection
, code:count
, msg:string
)
Generated for an unsuccessful MySQL response.
See the MySQL documentation for more information about the MySQL protocol.
- Parameters:
c – The connection.
code – The error code.
msg – Any extra details about the error (empty string if not provided).
See also:
mysql_command_request
,mysql_ok
,mysql_server_version
,mysql_handshake
- mysql_ok
- Type:
event
(c:connection
, affected_rows:count
)
Generated for a successful MySQL response.
See the MySQL documentation for more information about the MySQL protocol.
- Parameters:
c – The connection.
affected_rows – The number of rows that were affected.
See also:
mysql_command_request
,mysql_error
,mysql_server_version
,mysql_handshake
- mysql_eof
- Type:
event
(c:connection
, is_intermediate:bool
)
Generated for a MySQL EOF packet.
See the MySQL documentation for more information about the MySQL protocol.
- Parameters:
c – The connection.
is_intermediate – True if this is an EOF packet between the column definition and the rows, false if a final EOF.
See also:
mysql_command_request
,mysql_error
,mysql_server_version
,mysql_handshake
- mysql_result_row
- Type:
event
(c:connection
, row:string_vec
)
Generated for each MySQL ResultsetRow response packet.
See the MySQL documentation for more information about the MySQL protocol.
- Parameters:
c – The connection.
row – The result row data.
See also:
mysql_command_request
,mysql_error
,mysql_server_version
,mysql_handshake
,mysql_ok
- mysql_server_version
- Type:
event
(c:connection
, ver:string
)
Generated for the initial server handshake packet, which includes the MySQL server version.
See the MySQL documentation for more information about the MySQL protocol.
- Parameters:
c – The connection.
ver – The server version string.
See also:
mysql_command_request
,mysql_error
,mysql_ok
,mysql_handshake
- mysql_handshake
- Type:
event
(c:connection
, username:string
)
Generated for a client handshake response packet, which includes the username the client is attempting to connect as.
See the MySQL documentation for more information about the MySQL protocol.
- Parameters:
c – The connection.
username – The username supplied by the client
See also:
mysql_command_request
,mysql_error
,mysql_ok
,mysql_server_version
,mysql_ssl_request
- mysql_ssl_request
- Type:
event
(c:connection
)
Generated for a short client handshake response packet with the CLIENT_SSL flag set. Usually the client will initiate a TLS handshake afterwards. See the MySQL documentation for more information about the MySQL protocol.
- Parameters:
c – The connection.
See also:
mysql_handshake
- mysql_auth_plugin
- Type:
event
(c:connection
, is_orig:bool
, name:string
, data:string
)
Generated for information about plugin authentication within handshake packets.
- Parameters:
c – The connection.
is_orig – True if this is from the client, false if from the server.
name – Name of the authentication plugin.
data – The initial auth data. From the server, it is the concatenation of auth_plugin_data_part_1 and auth_plugin_data_part_2 in the handshake. For the client it is the auth_response in the handshake response.
See also:
mysql_handshake
,mysql_auth_switch_request
,mysql_auth_more_data
- mysql_auth_switch_request
- Type:
event
(c:connection
, name:string
, data:string
)
Generated for a server packet with an auth switch request.
- Parameters:
c – The connection.
name – The plugin name.
data – Initial authentication data for the plugin.
See also:
mysql_handshake
,mysql_auth_more_data
- mysql_auth_more_data
- Type:
event
(c:connection
, is_orig:bool
, data:string
)
Generated for opaque authentication data exchanged between client and server after the client’s handshake packet, but before the server replied with an OK_Packet
Data is specific to the plugin auth mechanism used by client and server.
- Parameters:
c – The connection.
is_orig – True if this is from the client, false if from the server.
data – More authentication data.
See also:
mysql_handshake
,mysql_auth_switch_request
Zeek::NCP
NCP analyzer
Components
Options/Constants
- NCP::max_frame_size
-
The maximum number of bytes to allocate when parsing NCP frames.
Events
- ncp_request
- Type:
event
(c:connection
, frame_type:count
, length:count
, func:count
)
Generated for NCP requests (Netware Core Protocol).
See Wikipedia for more information about the NCP protocol.
- Parameters:
c – The connection.
frame_type – The frame type, as specified by the protocol.
length – The length of the request body, excluding the frame header.
func – The requested function, as specified by the protocol.
See also:
ncp_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- ncp_reply
- Type:
event
(c:connection
, frame_type:count
, length:count
, req_frame:count
, req_func:count
, completion_code:count
)
Generated for NCP replies (Netware Core Protocol).
See Wikipedia for more information about the NCP protocol.
- Parameters:
c – The connection.
frame_type – The frame type, as specified by the protocol.
length – The length of the request body, excluding the frame header.
req_frame – The frame type from the corresponding request.
req_func – The function code from the corresponding request.
completion_code – The reply’s completion code, as specified by the protocol.
See also:
ncp_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::NetBIOS
NetBIOS analyzer support
Components
Events
- netbios_session_message
- Type:
event
(c:connection
, is_orig:bool
, msg_type:count
, data_len:count
)
Generated for all NetBIOS SSN and DGM messages. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters:
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
is_orig – True if the message was sent by the originator of the connection.
msg_type – The general type of message, as defined in Section 4.3.1 of RFC 1002.
data_len – The length of the message’s payload.
See also:
netbios_session_accepted
,netbios_session_keepalive
,netbios_session_raw_message
,netbios_session_rejected
,netbios_session_request
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_request
- Type:
event
(c:connection
, msg:string
)
Generated for NetBIOS messages of type session request. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters:
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
msg – The raw payload of the message sent, excluding the common NetBIOS header.
See also:
netbios_session_accepted
,netbios_session_keepalive
,netbios_session_message
,netbios_session_raw_message
,netbios_session_rejected
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_accepted
- Type:
event
(c:connection
, msg:string
)
Generated for NetBIOS messages of type positive session response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters:
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
msg – The raw payload of the message sent, excluding the common NetBIOS header.
See also:
netbios_session_keepalive
,netbios_session_message
,netbios_session_raw_message
,netbios_session_rejected
,netbios_session_request
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_rejected
- Type:
event
(c:connection
, msg:string
)
Generated for NetBIOS messages of type negative session response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters:
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
msg – The raw payload of the message sent, excluding the common NetBIOS header.
See also:
netbios_session_accepted
,netbios_session_keepalive
,netbios_session_message
,netbios_session_raw_message
,netbios_session_request
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_raw_message
- Type:
event
(c:connection
, is_orig:bool
, msg:string
)
Generated for NetBIOS messages of type session message that are not carrying an SMB payload.
NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters:
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
is_orig – True if the message was sent by the originator of the connection.
msg – The raw payload of the message sent, excluding the common NetBIOS header (i.e., the
user_data
).
See also:
netbios_session_accepted
,netbios_session_keepalive
,netbios_session_message
,netbios_session_rejected
,netbios_session_request
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
This is an oddly named event. In fact, it’s probably an odd event to have to begin with.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_ret_arg_resp
- Type:
event
(c:connection
, msg:string
)
Generated for NetBIOS messages of type retarget response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters:
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
msg – The raw payload of the message sent, excluding the common NetBIOS header.
See also:
netbios_session_accepted
,netbios_session_keepalive
,netbios_session_message
,netbios_session_raw_message
,netbios_session_rejected
,netbios_session_request
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
This is an oddly named event.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- netbios_session_keepalive
- Type:
event
(c:connection
, msg:string
)
Generated for NetBIOS messages of type keep-alive. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.
- Parameters:
c – The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.
msg – The raw payload of the message sent, excluding the common NetBIOS header.
See also:
netbios_session_accepted
,netbios_session_message
,netbios_session_raw_message
,netbios_session_rejected
,netbios_session_request
,netbios_session_ret_arg_resp
,decode_netbios_name
,decode_netbios_name_type
Note
These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Functions
- decode_netbios_name
-
Decode a NetBIOS name. See https://jeffpar.github.io/kbarchive/kb/194/Q194203/.
- Parameters:
name – The encoded NetBIOS name, e.g.,
"FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF"
.- Returns:
The decoded NetBIOS name, e.g.,
"THE NETBIOS NAM"
. An empty string is returned if the argument is not a valid NetBIOS encoding (though an encoding that would decode to something that includes only null-bytes or space-characters also yields an empty string).
See also:
decode_netbios_name_type
- decode_netbios_name_type
-
Converts a NetBIOS name type to its corresponding numeric value. See https://en.wikipedia.org/wiki/NetBIOS#NetBIOS_Suffixes.
- Parameters:
name – An encoded NetBIOS name.
- Returns:
The numeric value of name or 256 if it’s not a valid encoding.
See also:
decode_netbios_name
Zeek::NTLM
NTLM analyzer
Components
Types
- NTLM::Negotiate
- Type:
-
- flags:
NTLM::NegotiateFlags
The negotiate flags
- domain_name:
string
&optional
The domain name of the client, if known
- workstation:
string
&optional
The machine name of the client, if known
- version:
NTLM::Version
&optional
The Windows version information, if supplied
- flags:
- NTLM::Challenge
- Type:
-
- flags:
NTLM::NegotiateFlags
The negotiate flags
- challenge:
count
A 64-bit value that contains the NTLM challenge.
- target_name:
string
&optional
The server authentication realm. If the server is domain-joined, the name of the domain. Otherwise the server name. See flags.target_type_domain and flags.target_type_server
- version:
NTLM::Version
&optional
The Windows version information, if supplied
- target_info:
NTLM::AVs
&optional
Attribute-value pairs specified by the server
- flags:
- NTLM::Authenticate
- Type:
-
- flags:
NTLM::NegotiateFlags
The negotiate flags
- domain_name:
string
&optional
The domain or computer name hosting the account
- user_name:
string
&optional
The name of the user to be authenticated.
- workstation:
string
&optional
The name of the computer to which the user was logged on.
- session_key:
string
&optional
The session key
- version:
NTLM::Version
&optional
The Windows version information, if supplied
- response:
string
&optional
The client’s response for the challenge
- flags:
- NTLM::NegotiateFlags
- Type:
-
- negotiate_56:
bool
If set, requires 56-bit encryption
- negotiate_key_exch:
bool
If set, requests an explicit key exchange
- negotiate_128:
bool
If set, requests 128-bit session key negotiation
- negotiate_version:
bool
If set, requests the protocol version number
- negotiate_target_info:
bool
If set, indicates that the TargetInfo fields in the CHALLENGE_MESSAGE are populated
- request_non_nt_session_key:
bool
If set, requests the usage of the LMOWF function
- negotiate_identify:
bool
If set, requests and identify level token
- negotiate_extended_sessionsecurity:
bool
If set, requests usage of NTLM v2 session security Note: NTLM v2 session security is actually NTLM v1
- target_type_server:
bool
If set, TargetName must be a server name
- target_type_domain:
bool
If set, TargetName must be a domain name
- negotiate_always_sign:
bool
If set, requests the presence of a signature block on all messages
- negotiate_oem_workstation_supplied:
bool
If set, the workstation name is provided
- negotiate_oem_domain_supplied:
bool
If set, the domain name is provided
- negotiate_anonymous_connection:
bool
If set, the connection should be anonymous
- negotiate_ntlm:
bool
If set, requests usage of NTLM v1
- negotiate_lm_key:
bool
If set, requests LAN Manager session key computation
- negotiate_datagram:
bool
If set, requests connectionless authentication
- negotiate_seal:
bool
If set, requests session key negotiation for message confidentiality
- negotiate_sign:
bool
If set, requests session key negotiation for message signatures
- request_target:
bool
If set, the TargetName field is present
- negotiate_oem:
bool
If set, requests OEM character set encoding
- negotiate_unicode:
bool
If set, requests Unicode character set encoding
- negotiate_56:
- NTLM::AVs
- Type:
-
- nb_computer_name:
string
The server’s NetBIOS computer name
- nb_domain_name:
string
The server’s NetBIOS domain name
- dns_computer_name:
string
&optional
The FQDN of the computer
- dns_domain_name:
string
&optional
The FQDN of the domain
- dns_tree_name:
string
&optional
The FQDN of the forest
- constrained_auth:
bool
&optional
Indicates to the client that the account authentication is constrained
- timestamp:
time
&optional
The associated timestamp, if present
- single_host_id:
count
&optional
Indicates that the client is providing a machine ID created at computer startup to identify the calling machine
- target_name:
string
&optional
The SPN of the target server
- nb_computer_name:
Events
- ntlm_negotiate
- Type:
event
(c:connection
, negotiate:NTLM::Negotiate
)
Generated for NTLM messages of type negotiate.
- Parameters:
c – The connection.
negotiate – The parsed data of the NTLM message. See init-bare for more details.
See also:
ntlm_challenge
,ntlm_authenticate
- ntlm_challenge
- Type:
event
(c:connection
, challenge:NTLM::Challenge
)
Generated for NTLM messages of type challenge.
- Parameters:
c – The connection.
negotiate – The parsed data of the NTLM message. See init-bare for more details.
See also:
ntlm_negotiate
,ntlm_authenticate
- ntlm_authenticate
- Type:
event
(c:connection
, request:NTLM::Authenticate
)
Generated for NTLM messages of type authenticate.
- Parameters:
c – The connection.
request – The parsed data of the NTLM message. See init-bare for more details.
See also:
ntlm_negotiate
,ntlm_challenge
Zeek::NTP
NTP analyzer
Components
Types
- NTP::StandardMessage
- Type:
-
- stratum:
count
This value mainly identifies the type of server (primary server, secondary server, etc.). Possible values, as in RFC 5905, are:
0 -> unspecified or invalid
1 -> primary server (e.g., equipped with a GPS receiver)
2-15 -> secondary server (via NTP)
16 -> unsynchronized
17-255 -> reserved
For stratum 0, a kiss_code can be given for debugging and monitoring.
- poll:
interval
The maximum interval between successive messages.
- precision:
interval
The precision of the system clock.
- root_delay:
interval
Root delay. The total round-trip delay to the reference clock.
- root_disp:
interval
Root Dispersion. The total dispersion to the reference clock.
- kiss_code:
string
&optional
For stratum 0, four-character ASCII string used for debugging and monitoring. Values are defined in RFC 1345.
- ref_id:
string
&optional
Reference ID. For stratum 1, this is the ID assigned to the reference clock by IANA. For example: GOES, GPS, GAL, etc. (see RFC 5905)
- ref_addr:
addr
&optional
Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
- ref_time:
time
Reference timestamp. Time when the system clock was last set or correct.
- org_time:
time
Origin timestamp. Time at the client when the request departed for the NTP server.
- rec_time:
time
Receive timestamp. Time at the server when the request arrived from the NTP client.
- xmt_time:
time
Transmit timestamp. Time at the server when the response departed
- key_id:
count
&optional
Key used to designate a secret MD5 key.
- digest:
string
&optional
MD5 hash computed over the key followed by the NTP packet header and extension fields.
- num_exts:
count
&default
=0
&optional
Number of extension fields (which are not currently parsed).
- stratum:
NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard synchronization operations.
- NTP::ControlMessage
- Type:
-
- op_code:
count
An integer specifying the command function. Values currently defined:
1 read status command/response
2 read variables command/response
3 write variables command/response
4 read clock variables command/response
5 write clock variables command/response
6 set trap address/port command/response
7 trap response
Other values are reserved.
- resp_bit:
bool
The response bit. Set to zero for commands, one for responses.
- err_bit:
bool
The error bit. Set to zero for normal response, one for error response.
- more_bit:
bool
The more bit. Set to zero for last fragment, one for all others.
- sequence:
count
The sequence number of the command or response.
- status:
count
The current status of the system, peer or clock.
- association_id:
count
A 16-bit integer identifying a valid association.
- data:
string
&optional
Message data for the command or response + Authenticator (optional).
- key_id:
count
&optional
This is an integer identifying the cryptographic key used to generate the message-authentication code.
- crypto_checksum:
string
&optional
This is a crypto-checksum computed by the encryption procedure.
- op_code:
NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations.
- NTP::Mode7Message
- Type:
-
- req_code:
count
An implementation-specific code which specifies the operation to be (which has been) performed and/or the format and semantics of the data included in the packet.
- auth_bit:
bool
The authenticated bit. If set, this packet is authenticated.
- sequence:
count
For a multipacket response, contains the sequence number of this packet. 0 is the first in the sequence, 127 (or less) is the last. The More Bit must be set in all packets but the last.
- implementation:
count
The number of the implementation this request code is defined by. An implementation number of zero is used for request codes/data formats which all implementations agree on. Implementation number 255 is reserved (for extensions, in case we run out).
- err:
count
Must be 0 for a request. For a response, holds an error code relating to the request. If nonzero, the operation requested wasn’t performed.
0 - no error
1 - incompatible implementation number
2 - unimplemented request code
3 - format error (wrong data items, data size, packet size etc.)
4 - no data available (e.g. request for details on unknown peer)
5 - unknown
6 - unknown
7 - authentication failure (i.e. permission denied)
- data:
string
&optional
Rest of data
- req_code:
NTP mode 7 message. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration. For details see the documentation from the NTP official project, code v. ntp-4.2.8p13, in include/ntp_request.h.
- NTP::Message
- Type:
-
- version:
count
The NTP version number (1, 2, 3, 4).
- mode:
count
The NTP mode being used. Possible values are:
1 - symmetric active
2 - symmetric passive
3 - client
4 - server
5 - broadcast
6 - NTP control message
7 - reserved for private use
- std_msg:
NTP::StandardMessage
&optional
If mode 1-5, the standard fields for synchronization operations are here. See RFC 5905
- control_msg:
NTP::ControlMessage
&optional
If mode 6, the fields for control operations are here. See RFC 1119
- mode7_msg:
NTP::Mode7Message
&optional
If mode 7, the fields for extra operations are here. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration.
- version:
NTP message as defined in RFC 5905. Does include fields for mode 7, reserved for private use in RFC 5905, but used in some implementation for commands such as “monlist”.
Events
- ntp_message
- Type:
event
(c:connection
, is_orig:bool
, msg:NTP::Message
)
Generated for all NTP messages. Different from many other of Zeek’s events, this one is generated for both client-side and server-side messages.
See Wikipedia for more information about the NTP protocol.
- Parameters:
c – The connection record describing the corresponding UDP flow.
is_orig – True if the message was sent by the originator.
msg – The parsed NTP message.
Zeek::PIA
Analyzers implementing Dynamic Protocol
Components
Zeek::POP3
POP3 analyzer
Components
Options/Constants
- POP3::max_pending_commands
-
How many commands a POP3 client may have pending before Zeek forcefully removes the oldest.
Setting this value to 0 removes the limit.
- POP3::max_unknown_client_commands
-
How many invalid commands a POP3 client may use before Zeek starts raising analyzer violations.
Setting this value to 0 removes the limit.
Events
- pop3_request
- Type:
event
(c:connection
, is_orig:bool
, command:string
, arg:string
)
Generated for client-side commands on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
command – The command sent.
arg – The argument to the command.
See also:
pop3_data
,pop3_login_failure
,pop3_login_success
,pop3_reply
,pop3_unexpected
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_reply
- Type:
event
(c:connection
, is_orig:bool
, cmd:string
, msg:string
)
Generated for server-side replies to commands on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
- Parameters:
c – The connection.
is_orig – True if the command was sent by the originator of the TCP connection.
cmd – The success indicator sent by the server. This corresponds to the first token on the line sent, and should be either
OK
orERR
.msg – The textual description the server sent along with cmd.
See also:
pop3_data
,pop3_login_failure
,pop3_login_success
,pop3_request
,pop3_unexpected
Todo
This event is receiving odd parameters, should unify.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_data
- Type:
event
(c:connection
, is_orig:bool
, data:string
)
Generated for server-side multi-line responses on POP3 connections. POP3 connections use multi-line responses to send bulk data, such as the actual mails. This event is generated once for each line that’s part of such a response.
See Wikipedia for more information about the POP3 protocol.
- Parameters:
c – The connection.
is_orig – True if the data was sent by the originator of the TCP connection.
data – The data sent.
See also:
pop3_login_failure
,pop3_login_success
,pop3_reply
,pop3_request
,pop3_unexpected
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_unexpected
- Type:
event
(c:connection
, is_orig:bool
, msg:string
, detail:string
)
Generated for errors encountered on POP3 sessions. If the POP3 analyzer finds state transitions that do not conform to the protocol specification, or other situations it can’t handle, it raises this event.
See Wikipedia for more information about the POP3 protocol.
- Parameters:
c – The connection.
is_orig – True if the data was sent by the originator of the TCP connection.
msg – A textual description of the situation.
detail – The input that triggered the event.
See also:
pop3_data
,pop3_login_failure
,pop3_login_success
,pop3_reply
,pop3_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_starttls
- Type:
event
(c:connection
)
Generated when a POP3 connection goes encrypted. While POP3 is by default a clear-text protocol, extensions exist to switch to encryption. This event is generated if that happens and the analyzer then stops processing the connection.
See Wikipedia for more information about the POP3 protocol.
- Parameters:
c – The connection.
See also:
pop3_data
,pop3_login_failure
,pop3_login_success
,pop3_reply
,pop3_request
,pop3_unexpected
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_login_success
- Type:
event
(c:connection
, is_orig:bool
, user:string
, password:string
)
Generated for successful authentications on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
- Parameters:
c – The connection.
is_orig – Always false.
user – The user name used for authentication. The event is only generated if a non-empty user name was used.
password – The password used for authentication.
See also:
pop3_data
,pop3_login_failure
,pop3_reply
,pop3_request
,pop3_unexpected
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pop3_login_failure
- Type:
event
(c:connection
, is_orig:bool
, user:string
, password:string
)
Generated for unsuccessful authentications on POP3 connections.
See Wikipedia for more information about the POP3 protocol.
- Parameters:
c – The connection.
is_orig – Always false.
user – The user name attempted for authentication. The event is only generated if a non-empty user name was used.
password – The password attempted for authentication.
See also:
pop3_data
,pop3_login_success
,pop3_reply
,pop3_request
,pop3_unexpected
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::QUIC
QUIC analyzer
Components
Events
- QUIC::initial_packet
-
Generated for a QUIC Initial packet.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.
- QUIC::retry_packet
- Type:
event
(c:connection
, is_orig:bool
, version:count
, dcid:string
, scid:string
, retry_token:string
, retry_integrity_tag:string
)
Generated for a QUIC Retry packet.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.
retry_token – The Retry Token field.
integrity_tag – The Retry Integrity Tag field.
- QUIC::handshake_packet
-
Generated for a QUIC Handshake packet.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.
- QUIC::zero_rtt_packet
-
Generated for a QUIC 0-RTT packet.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.
- QUIC::connection_close_frame
- Type:
event
(c:connection
, is_orig:bool
, version:count
, dcid:string
, scid:string
, error_code:count
, reason_phrase:string
)
Generated for a QUIC CONNECTION_CLOSE frame.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.
error_code – Count indicating the reason for closing this connection.
reason_phrase – Additional diagnostic information for the closure.
Note
Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek.
- QUIC::unhandled_version
-
Generated for an unrecognized QUIC version.
- Parameters:
c – The connection.
is_orig – True if the packet is from the the connection’s originator.
version – The Version field.
dcid – The Destination Connection ID field.
scid – The Source Connection ID field.
Zeek::RADIUS
RADIUS analyzer
Components
Types
- RADIUS::Attributes
- Type:
Events
- radius_message
- Type:
event
(c:connection
, result:RADIUS::Message
)
Generated for RADIUS messages.
See Wikipedia for more information about RADIUS.
- Parameters:
c – The connection.
result – A record containing fields parsed from a RADIUS packet.
- radius_attribute
- Type:
event
(c:connection
, attr_type:count
, value:string
)
Generated for each RADIUS attribute.
See Wikipedia for more information about RADIUS.
- Parameters:
c – The connection.
attr_type – The value of the code field (1 == User-Name, 2 == User-Password, etc.).
value – The data/value bound to the attribute.
Zeek::RDP
RDP analyzer
Components
Types
- RDP::ClientCoreData
- Type:
-
version_major:
count
version_minor:
count
desktop_width:
count
desktop_height:
count
color_depth:
count
sas_sequence:
count
keyboard_layout:
count
client_build:
count
client_name:
string
keyboard_type:
count
keyboard_sub:
count
keyboard_function_key:
count
ime_file_name:
string
post_beta2_color_depth:
count
&optional
client_product_id:
count
&optional
serial_number:
count
&optional
high_color_depth:
count
&optional
supported_color_depths:
count
&optional
ec_flags:
RDP::EarlyCapabilityFlags
&optional
- RDP::ClientSecurityData
- Type:
-
- encryption_methods:
count
Cryptographic encryption methods supported by the client and used in conjunction with Standard RDP Security. Known flags:
0x00000001: support for 40-bit session encryption keys
0x00000002: support for 128-bit session encryption keys
0x00000008: support for 56-bit session encryption keys
0x00000010: support for FIPS compliant encryption and MAC methods
- ext_encryption_methods:
count
Only used in French locale and designates the encryption method. If non-zero, then encryption_methods should be set to 0.
- encryption_methods:
The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support.
- RDP::ClientClusterData
- Type:
-
- flags:
count
Cluster information flags.
- redir_session_id:
count
If the redir_sessionid_field_valid flag is set, this field contains a valid session identifier to which the client requests to connect.
- redir_supported:
bool
The client can receive server session redirection packets. If this flag is set, the svr_session_redir_version_mask field MUST contain the server session redirection version that the client supports.
- svr_session_redir_version_mask:
count
The server session redirection version that the client supports.
- redir_sessionid_field_valid:
bool
Whether the redir_session_id field identifies a session on the server to associate with the connection.
- redir_smartcard:
bool
The client logged on with a smart card.
- flags:
The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier.
- RDP::ClientChannelList
- Type:
The list of channels requested by the client.
- RDP::ClientChannelDef
- Type:
-
- name:
string
A unique name for the channel
- options:
count
Channel Def raw options as count
- initialized:
bool
Absence of this flag indicates that this channel is a placeholder and that the server MUST NOT set it up.
- encrypt_rdp:
bool
Unused, must be ignored by the server.
- encrypt_sc:
bool
Unused, must be ignored by the server.
- encrypt_cs:
bool
Unused, must be ignored by the server.
- pri_high:
bool
Channel data must be sent with high MCS priority.
- pri_med:
bool
Channel data must be sent with medium MCS priority.
- pri_low:
bool
Channel data must be sent with low MCS priority.
- compress_rdp:
bool
Virtual channel data must be compressed if RDP data is being compressed.
- compress:
bool
Virtual channel data must be compressed.
- show_protocol:
bool
Ignored by the server.
- persistent:
bool
Channel must be persistent across remote control transactions.
- name:
Name and flags for a single channel requested by the client.
Events
- rdpeudp_syn
- Type:
event
(c:connection
)
Generated for RDPEUDP SYN UDP Datagram
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
- rdpeudp_synack
- Type:
event
(c:connection
)
Generated for RDPEUDP SYNACK UDP Datagram
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
- rdpeudp_established
- Type:
event
(c:connection
, version:count
)
Generated when RDPEUDP connections are established (both sides SYN)
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
version – Whether the connection is RDPEUDP1 or RDPEUDP2
- rdpeudp_data
- Type:
event
(c:connection
, is_orig:bool
, version:count
, data:string
)
Generated when for data messages exchanged after a RDPEUDP connection establishes
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
is_orig – Whether the data was sent by the originator or responder of the connection.
version – Whether the connection is RDPEUDP1 or RDPEUDP2
data – The payload of the packet. This is probably very non-performant.
- rdp_native_encrypted_data
- Type:
event
(c:connection
, orig:bool
, len:count
)
Generated for each packet after RDP native encryption begins
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
orig – True if the packet was sent by the originator of the connection.
len – The length of the encrypted data.
- rdp_connect_request
- Type:
event
(c:connection
, cookie:string
, flags:count
)- Type:
event
(c:connection
, cookie:string
)
Generated for X.224 client requests.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
cookie – The cookie included in the request; empty if no cookie was provided.
flags – The flags set by the client.
- rdp_negotiation_response
- Type:
event
(c:connection
, security_protocol:count
, flags:count
)- Type:
event
(c:connection
, security_protocol:count
)
Generated for RDP Negotiation Response messages.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
security_protocol – The security protocol selected by the server.
flags – The flags set by the server.
- rdp_negotiation_failure
- Type:
event
(c:connection
, failure_code:count
, flags:count
)- Type:
event
(c:connection
, failure_code:count
)
Generated for RDP Negotiation Failure messages.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
failure_code – The failure code sent by the server.
flags – The flags set by the server.
- rdp_client_core_data
- Type:
event
(c:connection
, data:RDP::ClientCoreData
)
Generated for MCS client requests.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
data – The data contained in the client core data structure.
- rdp_client_security_data
- Type:
event
(c:connection
, data:RDP::ClientSecurityData
)
Generated for client security data packets.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
data – The data contained in the client security data structure.
- rdp_client_network_data
- Type:
event
(c:connection
, channels:RDP::ClientChannelList
)
Generated for Client Network Data (TS_UD_CS_NET) packets
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
channels – The channels that were requested
- rdp_client_cluster_data
- Type:
event
(c:connection
, data:RDP::ClientClusterData
)
Generated for client cluster data packets.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
data – The data contained in the client security data structure.
- rdp_gcc_server_create_response
- Type:
event
(c:connection
, result:count
)
Generated for MCS server responses.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
result – The 8-bit integer representing the GCC Conference Create Response result.
- rdp_server_security
- Type:
event
(c:connection
, encryption_method:count
, encryption_level:count
)
Generated for MCS server responses.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
encryption_method – The 32-bit integer representing the encryption method used in the connection.
encryption_level – The 32-bit integer representing the encryption level used in the connection.
- rdp_server_certificate
- Type:
event
(c:connection
, cert_type:count
, permanently_issued:bool
)
Generated for a server certificate section. If multiple X.509 certificates are included in chain, this event will still only be generated a single time.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
cert_type – Indicates the type of certificate.
permanently_issued – Value will be true is the certificate(s) is permanent on the server.
- rdp_begin_encryption
- Type:
event
(c:connection
, security_protocol:count
)
Generated when an RDP session becomes encrypted.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
security_protocol – The security protocol being used for the session.
Zeek::RFB
Parser for rfb (VNC) analyzer
Components
Events
- rfb_authentication_type
- Type:
event
(c:connection
, authtype:count
)
Generated for RFB event authentication mechanism selection
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
authtype – the value of the chosen authentication mechanism
- rfb_auth_result
- Type:
event
(c:connection
, result:bool
)
Generated for RFB event authentication result message
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
result – whether or not authentication was successful
- Type:
event
(c:connection
, flag:bool
)
Generated for RFB event share flag messages
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
flag – whether or not the share flag was set
- rfb_client_version
- Type:
event
(c:connection
, major_version:string
, minor_version:string
)
Generated for RFB event client banner message
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
version – of the client’s rfb library
- rfb_server_version
- Type:
event
(c:connection
, major_version:string
, minor_version:string
)
Generated for RFB event server banner message
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
version – of the server’s rfb library
- rfb_server_parameters
- Type:
event
(c:connection
, name:string
, width:count
, height:count
)
Generated for RFB event server parameter message
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
name – name of the shared screen
width – width of the shared screen
height – height of the shared screen
Zeek::RPC
Analyzers for RPC-based protocols
Components
Analyzer::ANALYZER_CONTENTS_NFS
Events
- nfs_proc_null
- Type:
event
(c:connection
, info:NFS3::info_t
)
Generated for NFSv3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_getattr
- Type:
event
(c:connection
, info:NFS3::info_t
, fh:string
, attrs:NFS3::fattr_t
)
Generated for NFSv3 request/reply dialogues of type getattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
fh – TODO.
attrs – The attributes returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
,file_mode
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_sattr
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::sattrargs_t
, rep:NFS3::sattr_reply_t
)
Generated for NFSv3 request/reply dialogues of type sattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – The arguments passed in the request.
rep – The attributes returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
,file_mode
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_lookup
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::diropargs_t
, rep:NFS3::lookup_reply_t
)
Generated for NFSv3 request/reply dialogues of type lookup. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – The arguments passed in the request.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_read
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::readargs_t
, rep:NFS3::read_reply_t
)
Generated for NFSv3 request/reply dialogues of type read. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – The arguments passed in the request.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
,NFS3::return_data
,NFS3::return_data_first_only
,NFS3::return_data_max
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_readlink
- Type:
event
(c:connection
, info:NFS3::info_t
, fh:string
, rep:NFS3::readlink_reply_t
)
Generated for NFSv3 request/reply dialogues of type readlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
fh – The file handle passed in the request.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,nfs_proc_symlink
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_symlink
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::symlinkargs_t
, rep:NFS3::newobj_reply_t
)
Generated for NFSv3 request/reply dialogues of type symlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – The arguments passed in the request.
rep – The attributes returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,nfs_proc_link
,rpc_call
,rpc_dialogue
,rpc_reply
,file_mode
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_link
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::linkargs_t
, rep:NFS3::link_reply_t
)
Generated for NFSv3 request/reply dialogues of type link. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – The arguments passed in the request.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,rpc_call
,nfs_proc_symlink
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_write
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::writeargs_t
, rep:NFS3::write_reply_t
)
Generated for NFSv3 request/reply dialogues of type write. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – TODO.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
,NFS3::return_data
,NFS3::return_data_first_only
,NFS3::return_data_max
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_create
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::diropargs_t
, rep:NFS3::newobj_reply_t
)
Generated for NFSv3 request/reply dialogues of type create. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – TODO.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_mkdir
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::diropargs_t
, rep:NFS3::newobj_reply_t
)
Generated for NFSv3 request/reply dialogues of type mkdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – TODO.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_remove
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::diropargs_t
, rep:NFS3::delobj_reply_t
)
Generated for NFSv3 request/reply dialogues of type remove. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – TODO.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_rmdir
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::diropargs_t
, rep:NFS3::delobj_reply_t
)
Generated for NFSv3 request/reply dialogues of type rmdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – TODO.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_rename
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::renameopargs_t
, rep:NFS3::renameobj_reply_t
)
Generated for NFSv3 request/reply dialogues of type rename. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – TODO.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rename
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_readdir
- Type:
event
(c:connection
, info:NFS3::info_t
, req:NFS3::readdirargs_t
, rep:NFS3::readdir_reply_t
)
Generated for NFSv3 request/reply dialogues of type readdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – TODO.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_proc_not_implemented
- Type:
event
(c:connection
, info:NFS3::info_t
, proc:NFS3::proc_t
)
Generated for NFSv3 request/reply dialogues of a type that Zeek’s NFSv3 analyzer does not implement.
NFS is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
proc – The procedure called that Zeek does not implement.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- nfs_reply_status
- Type:
event
(n:connection
, info:NFS3::info_t
)
Generated for each NFSv3 reply message received, reporting just the status included.
- Parameters:
n – The connection.
info – Reports the status included in the reply.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_request_null
- Type:
event
(r:connection
)
Generated for Portmapper requests of type null.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
See also:
pm_request_set
,pm_request_unset
,pm_request_getport
,pm_request_dump
,pm_request_callit
,pm_attempt_null
,pm_attempt_set
,pm_attempt_unset
,pm_attempt_getport
,pm_attempt_dump
,pm_attempt_callit
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_request_set
- Type:
event
(r:connection
, m:pm_mapping
, success:bool
)
Generated for Portmapper request/reply dialogues of type set.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
m – The argument to the request.
success – True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.
See also:
pm_request_null
,pm_request_unset
,pm_request_getport
,pm_request_dump
,pm_request_callit
,pm_attempt_null
,pm_attempt_set
,pm_attempt_unset
,pm_attempt_getport
,pm_attempt_dump
,pm_attempt_callit
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_request_unset
- Type:
event
(r:connection
, m:pm_mapping
, success:bool
)
Generated for Portmapper request/reply dialogues of type unset.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
m – The argument to the request.
success – True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.
See also:
pm_request_null
,pm_request_set
,pm_request_getport
,pm_request_dump
,pm_request_callit
,pm_attempt_null
,pm_attempt_set
,pm_attempt_unset
,pm_attempt_getport
,pm_attempt_dump
,pm_attempt_callit
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_request_getport
- Type:
event
(r:connection
, pr:pm_port_request
, p:port
)
Generated for Portmapper request/reply dialogues of type getport.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
pr – The argument to the request.
p – The port returned by the server.
See also:
pm_request_null
,pm_request_set
,pm_request_unset
,pm_request_dump
,pm_request_callit
,pm_attempt_null
,pm_attempt_set
,pm_attempt_unset
,pm_attempt_getport
,pm_attempt_dump
,pm_attempt_callit
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_request_dump
- Type:
event
(r:connection
, m:pm_mappings
)
Generated for Portmapper request/reply dialogues of type dump.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
m – The mappings returned by the server.
See also:
pm_request_null
,pm_request_set
,pm_request_unset
,pm_request_getport
,pm_request_callit
,pm_attempt_null
,pm_attempt_set
,pm_attempt_unset
,pm_attempt_getport
,pm_attempt_dump
,pm_attempt_callit
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_request_callit
- Type:
event
(r:connection
, call:pm_callit_request
, p:port
)
Generated for Portmapper request/reply dialogues of type callit.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
call – The argument to the request.
p – The port value returned by the call.
See also:
pm_request_null
,pm_request_set
,pm_request_unset
,pm_request_getport
,pm_request_dump
,pm_attempt_null
,pm_attempt_set
,pm_attempt_unset
,pm_attempt_getport
,pm_attempt_dump
,pm_attempt_callit
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_attempt_null
- Type:
event
(r:connection
, status:rpc_status
)
Generated for failed Portmapper requests of type null.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
status – The status of the reply, which should be one of the index values of
RPC_status
.
See also:
pm_request_null
,pm_request_set
,pm_request_unset
,pm_request_getport
,pm_request_dump
,pm_request_callit
,pm_attempt_set
,pm_attempt_unset
,pm_attempt_getport
,pm_attempt_dump
,pm_attempt_callit
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_attempt_set
- Type:
event
(r:connection
, status:rpc_status
, m:pm_mapping
)
Generated for failed Portmapper requests of type set.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
status – The status of the reply, which should be one of the index values of
RPC_status
.m – The argument to the original request.
See also:
pm_request_null
,pm_request_set
,pm_request_unset
,pm_request_getport
,pm_request_dump
,pm_request_callit
,pm_attempt_null
,pm_attempt_unset
,pm_attempt_getport
,pm_attempt_dump
,pm_attempt_callit
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_attempt_unset
- Type:
event
(r:connection
, status:rpc_status
, m:pm_mapping
)
Generated for failed Portmapper requests of type unset.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
status – The status of the reply, which should be one of the index values of
RPC_status
.m – The argument to the original request.
See also:
pm_request_null
,pm_request_set
,pm_request_unset
,pm_request_getport
,pm_request_dump
,pm_request_callit
,pm_attempt_null
,pm_attempt_set
,pm_attempt_getport
,pm_attempt_dump
,pm_attempt_callit
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_attempt_getport
- Type:
event
(r:connection
, status:rpc_status
, pr:pm_port_request
)
Generated for failed Portmapper requests of type getport.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
status – The status of the reply, which should be one of the index values of
RPC_status
.pr – The argument to the original request.
See also:
pm_request_null
,pm_request_set
,pm_request_unset
,pm_request_getport
,pm_request_dump
,pm_request_callit
,pm_attempt_null
,pm_attempt_set
,pm_attempt_unset
,pm_attempt_dump
,pm_attempt_callit
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_attempt_dump
- Type:
event
(r:connection
, status:rpc_status
)
Generated for failed Portmapper requests of type dump.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
status – The status of the reply, which should be one of the index values of
RPC_status
.
See also:
pm_request_null
,pm_request_set
,pm_request_unset
,pm_request_getport
,pm_request_dump
,pm_request_callit
,pm_attempt_null
,pm_attempt_set
,pm_attempt_unset
,pm_attempt_getport
,pm_attempt_callit
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_attempt_callit
- Type:
event
(r:connection
, status:rpc_status
, call:pm_callit_request
)
Generated for failed Portmapper requests of type callit.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
status – The status of the reply, which should be one of the index values of
RPC_status
.call – The argument to the original request.
See also:
pm_request_null
,pm_request_set
,pm_request_unset
,pm_request_getport
,pm_request_dump
,pm_request_callit
,pm_attempt_null
,pm_attempt_set
,pm_attempt_unset
,pm_attempt_getport
,pm_attempt_dump
,pm_bad_port
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- pm_bad_port
- Type:
event
(r:connection
, bad_p:count
)
Generated for Portmapper requests or replies that include an invalid port number. Since ports are represented by unsigned 4-byte integers, they can stray outside the allowed range of 0–65535 by being >= 65536. If so, this event is generated.
Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.
- Parameters:
r – The RPC connection.
bad_p – The invalid port value.
See also:
pm_request_null
,pm_request_set
,pm_request_unset
,pm_request_getport
,pm_request_dump
,pm_request_callit
,pm_attempt_null
,pm_attempt_set
,pm_attempt_unset
,pm_attempt_getport
,pm_attempt_dump
,pm_attempt_callit
,rpc_call
,rpc_dialogue
,rpc_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- rpc_dialogue
- Type:
event
(c:connection
, prog:count
, ver:count
, proc:count
, status:rpc_status
, start_time:time
, call_len:count
, reply_len:count
)
Generated for RPC request/reply pairs. The RPC analyzer associates request and reply by their transaction identifiers and raises this event once both have been seen. If there’s not a reply, this event will still be generated eventually on timeout. In that case, status will be set to
RPC_TIMEOUT
.See Wikipedia for more information about the ONC RPC protocol.
- Parameters:
c – The connection.
prog – The remote program to call.
ver – The version of the remote program to call.
proc – The procedure of the remote program to call.
status – The status of the reply, which should be one of the index values of
RPC_status
.start_time – The time when the call was seen.
call_len – The size of the call_body PDU.
reply_len – The size of the reply_body PDU.
See also:
rpc_call
,rpc_reply
,dce_rpc_bind
,dce_rpc_message
,dce_rpc_request
,dce_rpc_response
,rpc_timeout
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- rpc_call
-
Generated for RPC call messages.
See Wikipedia for more information about the ONC RPC protocol.
- Parameters:
c – The connection.
xid – The transaction identifier allowing to match requests with replies.
prog – The remote program to call.
ver – The version of the remote program to call.
proc – The procedure of the remote program to call.
call_len – The size of the call_body PDU.
See also:
rpc_dialogue
,rpc_reply
,dce_rpc_bind
,dce_rpc_message
,dce_rpc_request
,dce_rpc_response
,rpc_timeout
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- rpc_reply
- Type:
event
(c:connection
, xid:count
, status:rpc_status
, reply_len:count
)
Generated for RPC reply messages.
See Wikipedia for more information about the ONC RPC protocol.
- Parameters:
c – The connection.
xid – The transaction identifier allowing to match requests with replies.
status – The status of the reply, which should be one of the index values of
RPC_status
.reply_len – The size of the reply_body PDU.
See also:
rpc_call
,rpc_dialogue
,dce_rpc_bind
,dce_rpc_message
,dce_rpc_request
,dce_rpc_response
,rpc_timeout
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- mount_proc_null
- Type:
event
(c:connection
, info:MOUNT3::info_t
)
Generated for MOUNT3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
See also:
mount_proc_mnt
,mount_proc_umnt
,mount_proc_umnt_all
,mount_proc_not_implemented
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- mount_proc_mnt
- Type:
event
(c:connection
, info:MOUNT3::info_t
, req:MOUNT3::dirmntargs_t
, rep:MOUNT3::mnt_reply_t
)
Generated for MOUNT3 request/reply dialogues of type mnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – The arguments passed in the request.
rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.
See also:
mount_proc_mnt
,mount_proc_umnt
,mount_proc_umnt_all
,mount_proc_not_implemented
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- mount_proc_umnt
- Type:
event
(c:connection
, info:MOUNT3::info_t
, req:MOUNT3::dirmntargs_t
)
Generated for MOUNT3 request/reply dialogues of type umnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – The arguments passed in the request.
See also:
mount_proc_mnt
,mount_proc_umnt
,mount_proc_umnt_all
,mount_proc_not_implemented
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- mount_proc_umnt_all
- Type:
event
(c:connection
, info:MOUNT3::info_t
, req:MOUNT3::dirmntargs_t
)
Generated for MOUNT3 request/reply dialogues of type umnt_all. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
req – The arguments passed in the request.
See also:
mount_proc_mnt
,mount_proc_umnt
,mount_proc_umnt_all
,mount_proc_not_implemented
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- mount_proc_not_implemented
- Type:
event
(c:connection
, info:MOUNT3::info_t
, proc:MOUNT3::proc_t
)
Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement.
- Parameters:
c – The RPC connection.
info – Reports the status of the dialogue, along with some meta information.
proc – The procedure called that Zeek does not implement.
See also:
mount_proc_mnt
,mount_proc_umnt
,mount_proc_umnt_all
,mount_proc_not_implemented
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- mount_reply_status
- Type:
event
(n:connection
, info:MOUNT3::info_t
)
Generated for each MOUNT3 reply message received, reporting just the status included.
- Parameters:
n – The connection.
info – Reports the status included in the reply.
See also:
mount_proc_mnt
,mount_proc_umnt
,mount_proc_umnt_all
,mount_proc_not_implemented
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Zeek::SIP
SIP analyzer UDP-only
Components
Events
- sip_request
- Type:
event
(c:connection
, method:string
, original_URI:string
, version:string
)
Generated for SIP requests, used in Voice over IP (VoIP).
This event is generated as soon as a request’s initial line has been parsed.
See Wikipedia for more information about the SIP protocol.
- Parameters:
c – The connection.
method – The SIP method extracted from the request (e.g.,
REGISTER
,NOTIFY
).original_URI – The unprocessed URI as specified in the request.
version – The version number specified in the request (e.g.,
2.0
).
See also:
sip_reply
,sip_header
,sip_all_headers
,sip_begin_entity
,sip_end_entity
- sip_reply
- Type:
event
(c:connection
, version:string
, code:count
, reason:string
)
Generated for SIP replies, used in Voice over IP (VoIP).
This event is generated as soon as a reply’s initial line has been parsed.
See Wikipedia for more information about the SIP protocol.
- Parameters:
c – The connection.
version – The SIP version in use.
code – The response code.
reason – Textual details for the response code.
See also:
sip_request
,sip_header
,sip_all_headers
,sip_begin_entity
,sip_end_entity
- sip_header
- Type:
event
(c:connection
, is_orig:bool
, name:string
, value:string
)
Generated for each SIP header.
See Wikipedia for more information about the SIP protocol.
- Parameters:
c – The connection.
is_orig – Whether the header came from the originator.
name – Header name.
value – Header value.
See also:
sip_request
,sip_reply
,sip_all_headers
,sip_begin_entity
,sip_end_entity
- sip_all_headers
- Type:
event
(c:connection
, is_orig:bool
, hlist:mime_header_list
)
Generated once for all SIP headers from the originator or responder.
See Wikipedia for more information about the SIP protocol.
- Parameters:
c – The connection.
is_orig – Whether the headers came from the originator.
hlist – All the headers, and their values
See also:
sip_request
,sip_reply
,sip_header
,sip_begin_entity
,sip_end_entity
- sip_begin_entity
- Type:
event
(c:connection
, is_orig:bool
)
Generated at the beginning of a SIP message.
This event is generated as soon as a message’s initial line has been parsed.
See Wikipedia for more information about the SIP protocol.
- Parameters:
c – The connection.
is_orig – Whether the message came from the originator.
See also:
sip_request
,sip_reply
,sip_header
,sip_all_headers
,sip_end_entity
- sip_end_entity
- Type:
event
(c:connection
, is_orig:bool
)
Generated at the end of a SIP message.
See Wikipedia for more information about the SIP protocol.
- Parameters:
c – The connection.
is_orig – Whether the message came from the originator.
See also:
sip_request
,sip_reply
,sip_header
,sip_all_headers
,sip_begin_entity
Zeek::SMB
SMB analyzer
Components
Options/Constants
- SMB::pipe_filenames
- Type:
- Attributes:
- Default:
{}
- Redefinition:
from base/protocols/smb/consts.zeek
=
:spoolss, winreg, samr, srvsvc, netdfs, lsarpc, wkssvc, MsFteWds
A set of file names used as named pipes over SMB. This only comes into play as a heuristic to identify named pipes when the drive mapping wasn’t seen by Zeek.
See also:
smb_pipe_connect_heuristic
- SMB::max_pending_messages
-
The maximum number of messages for which to retain state about offsets, fids, or tree ids within the parser. When the limit is reached, internal parser state is discarded and
smb2_discarded_messages_state
raised.Setting this to zero will disable the functionality.
See also:
smb2_discarded_messages_state
- SMB::max_dce_rpc_analyzers
-
Maximum number of DCE-RPC analyzers per connection before discarding them to avoid unbounded state growth.
See also:
smb_discarded_dce_rpc_analyzers
Types
- SMB1::NegotiateResponse
- Type:
-
- core:
SMB1::NegotiateResponseCore
&optional
If the server does not understand any of the dialect strings, or if PC NETWORK PROGRAM 1.0 is the chosen dialect.
- lanman:
SMB1::NegotiateResponseLANMAN
&optional
If the chosen dialect is greater than core up to and including LANMAN 2.1.
- ntlm:
SMB1::NegotiateResponseNTLM
&optional
If the chosen dialect is NT LM 0.12.
- core:
- SMB1::NegotiateResponseLANMAN
- Type:
-
- word_count:
count
Count of parameter words (should be 13)
- dialect_index:
count
Index of selected dialect
- security_mode:
SMB1::NegotiateResponseSecurity
Security mode
- max_buffer_size:
count
Max transmit buffer size (>= 1024)
- max_mpx_count:
count
Max pending multiplexed requests
- max_number_vcs:
count
Max number of virtual circuits (VCs - transport-layer connections) between client and server
- raw_mode:
SMB1::NegotiateRawMode
Raw mode
- session_key:
count
Unique token identifying this session
- server_time:
time
Current date and time at server
- encryption_key:
string
The challenge encryption key
- primary_domain:
string
The server’s primary domain
- word_count:
- SMB1::NegotiateResponseNTLM
- Type:
-
- word_count:
count
Count of parameter words (should be 17)
- dialect_index:
count
Index of selected dialect
- security_mode:
SMB1::NegotiateResponseSecurity
Security mode
- max_buffer_size:
count
Max transmit buffer size
- max_mpx_count:
count
Max pending multiplexed requests
- max_number_vcs:
count
Max number of virtual circuits (VCs - transport-layer connections) between client and server
- max_raw_size:
count
Max raw buffer size
- session_key:
count
Unique token identifying this session
- capabilities:
SMB1::NegotiateCapabilities
Server capabilities
- server_time:
time
Current date and time at server
- encryption_key:
string
&optional
The challenge encryption key. Present only for non-extended security (i.e. capabilities$extended_security = F)
- domain_name:
string
&optional
The name of the domain. Present only for non-extended security (i.e. capabilities$extended_security = F)
- guid:
string
&optional
A globally unique identifier assigned to the server. Present only for extended security (i.e. capabilities$extended_security = T)
- security_blob:
string
Opaque security blob associated with the security package if capabilities$extended_security = T Otherwise, the challenge for challenge/response authentication.
- word_count:
- SMB1::NegotiateResponseSecurity
- Type:
-
- user_level:
bool
This indicates whether the server, as a whole, is operating under Share Level or User Level security.
- challenge_response:
bool
This indicates whether or not the server supports Challenge/Response authentication. If the bit is false, then plaintext passwords must be used.
- signatures_enabled:
bool
&optional
This indicates if the server is capable of performing MAC message signing. Note: Requires NT LM 0.12 or later.
- signatures_required:
bool
&optional
This indicates if the server is requiring the use of a MAC in each packet. If false, message signing is optional. Note: Requires NT LM 0.12 or later.
- user_level:
- SMB1::NegotiateCapabilities
- Type:
-
- raw_mode:
bool
The server supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW
- mpx_mode:
bool
The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX
- unicode:
bool
The server supports unicode strings
- large_files:
bool
The server supports large files with 64 bit offsets
- nt_smbs:
bool
The server supports the SMBs particular to the NT LM 0.12 dialect. Implies nt_find.
- rpc_remote_apis:
bool
The server supports remote admin API requests via DCE-RPC
- status32:
bool
The server can respond with 32 bit status codes in Status.Status
- level_2_oplocks:
bool
The server supports level 2 oplocks
- lock_and_read:
bool
The server supports SMB_COM_LOCK_AND_READ
- nt_find:
bool
Reserved
- dfs:
bool
The server is DFS aware
- infolevel_passthru:
bool
The server supports NT information level requests passing through
- large_readx:
bool
The server supports large SMB_COM_READ_ANDX (up to 64k)
- large_writex:
bool
The server supports large SMB_COM_WRITE_ANDX (up to 64k)
- unix:
bool
The server supports CIFS Extensions for UNIX
- bulk_transfer:
bool
The server supports SMB_BULK_READ, SMB_BULK_WRITE Note: No known implementations support this
- compressed_data:
bool
The server supports compressed data transfer. Requires bulk_transfer. Note: No known implementations support this
- extended_security:
bool
The server supports extended security exchanges
- raw_mode:
- SMB1::SessionSetupAndXRequest
- Type:
-
- word_count:
count
- Count of parameter words
10 for pre NT LM 0.12
12 for NT LM 0.12 with extended security
13 for NT LM 0.12 without extended security
- max_buffer_size:
count
Client maximum buffer size
- max_mpx_count:
count
Actual maximum multiplexed pending request
- vc_number:
count
Virtual circuit number. First VC == 0
- session_key:
count
Session key (valid iff vc_number > 0)
- native_os:
string
Client’s native operating system
- native_lanman:
string
Client’s native LAN Manager type
- account_name:
string
&optional
Account name Note: not set for NT LM 0.12 with extended security
- account_password:
string
&optional
If challenge/response auth is not being used, this is the password. Otherwise, it’s the response to the server’s challenge. Note: Only set for pre NT LM 0.12
- primary_domain:
string
&optional
Client’s primary domain, if known Note: not set for NT LM 0.12 with extended security
- case_insensitive_password:
string
&optional
Case insensitive password Note: only set for NT LM 0.12 without extended security
- case_sensitive_password:
string
&optional
Case sensitive password Note: only set for NT LM 0.12 without extended security
- security_blob:
string
&optional
Security blob Note: only set for NT LM 0.12 with extended security
- capabilities:
SMB1::SessionSetupAndXCapabilities
&optional
Client capabilities Note: only set for NT LM 0.12
- word_count:
- SMB1::SessionSetupAndXResponse
- Type:
-
- word_count:
count
Count of parameter words (should be 3 for pre NT LM 0.12 and 4 for NT LM 0.12)
- is_guest:
bool
&optional
Were we logged in as a guest user?
- native_os:
string
&optional
Server’s native operating system
- native_lanman:
string
&optional
Server’s native LAN Manager type
- primary_domain:
string
&optional
Server’s primary domain
- security_blob:
string
&optional
Security blob if NTLM
- word_count:
- SMB1::SessionSetupAndXCapabilities
- Type:
-
- unicode:
bool
The client can use unicode strings
- large_files:
bool
The client can deal with files having 64 bit offsets
- nt_smbs:
bool
The client understands the SMBs introduced with NT LM 0.12 Implies nt_find
- status32:
bool
The client can receive 32 bit errors encoded in Status.Status
- level_2_oplocks:
bool
The client understands Level II oplocks
- nt_find:
bool
Reserved. Implied by nt_smbs.
- unicode:
- SMB1::Trans_Sec_Args
- Type:
-
- total_param_count:
count
Total parameter count
- total_data_count:
count
Total data count
- param_count:
count
Parameter count
- param_offset:
count
Parameter offset
- param_displacement:
count
Parameter displacement
- data_count:
count
Data count
- data_offset:
count
Data offset
- data_displacement:
count
Data displacement
- total_param_count:
- SMB1::Find_First2_Request_Args
- Type:
-
- search_attrs:
count
File attributes to apply as a constraint to the search
- search_count:
count
Max search results
- flags:
count
Misc. flags for how the server should manage the transaction once results are returned
- info_level:
count
How detailed the information returned in the results should be
- search_storage_type:
count
Specify whether to search for directories or files
- file_name:
string
The string to search for (note: may contain wildcards)
- search_attrs:
- SMB1::Trans2_Args
- Type:
-
- total_param_count:
count
Total parameter count
- total_data_count:
count
Total data count
- max_param_count:
count
Max parameter count
- max_data_count:
count
Max data count
- max_setup_count:
count
Max setup count
- flags:
count
Flags
- trans_timeout:
count
Timeout
- param_count:
count
Parameter count
- param_offset:
count
Parameter offset
- data_count:
count
Data count
- data_offset:
count
Data offset
- setup_count:
count
Setup count
- total_param_count:
- SMB1::Trans2_Sec_Args
- Type:
-
- total_param_count:
count
Total parameter count
- total_data_count:
count
Total data count
- param_count:
count
Parameter count
- param_offset:
count
Parameter offset
- param_displacement:
count
Parameter displacement
- data_count:
count
Data count
- data_offset:
count
Data offset
- data_displacement:
count
Data displacement
- FID:
count
File ID
- total_param_count:
- SMB2::CloseResponse
- Type:
-
- alloc_size:
count
The size, in bytes of the data that is allocated to the file.
- eof:
count
The size, in bytes, of the file.
- times:
SMB::MACTimes
The creation, last access, last write, and change times.
- attrs:
SMB2::FileAttrs
The attributes of the file.
- alloc_size:
The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.
For more information, see MS-SMB2:2.2.16
See also:
smb2_close_response
- SMB2::CreateRequest
- Type:
The request sent by the client to request either creation of or access to a file.
For more information, see MS-SMB2:2.2.13
See also:
smb2_create_request
- SMB2::CreateResponse
- Type:
-
- file_id:
SMB2::GUID
The SMB2 GUID for the file.
- size:
count
Size of the file.
- times:
SMB::MACTimes
Timestamps associated with the file in question.
- attrs:
SMB2::FileAttrs
File attributes.
- create_action:
count
The action taken in establishing the open.
- file_id:
The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.
For more information, see MS-SMB2:2.2.14
See also:
smb2_create_response
- SMB2::NegotiateResponse
- Type:
-
- dialect_revision:
count
The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2 NEGOTIATE Request.
- security_mode:
count
The security mode field specifies whether SMB signing is enabled, required at the server, or both.
- server_guid:
SMB2::GUID
A globally unique identifier that is generate by the server to uniquely identify the server.
- system_time:
time
The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed.
- server_start_time:
time
The SMB2 server start time.
- negotiate_context_count:
count
The number of negotiate context values in SMB v. 3.1.1, otherwise reserved to 0.
- negotiate_context_values:
SMB2::NegotiateContextValues
An array of context values in SMB v. 3.1.1.
- dialect_revision:
The response to an SMB2 negotiate request, which is used by the client to notify the server what dialects of the SMB2 protocol the client understands.
For more information, see MS-SMB2:2.2.4
See also:
smb2_negotiate_response
- SMB2::SessionSetupRequest
- Type:
-
- security_mode:
count
The security mode field specifies whether SMB signing is enabled or required at the client.
- security_mode:
The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
For more information, see MS-SMB2:2.2.5
See also:
smb2_session_setup_request
- SMB2::SessionSetupResponse
- Type:
-
- flags:
SMB2::SessionSetupFlags
Additional information about the session
- flags:
The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
For more information, see MS-SMB2:2.2.6
See also:
smb2_session_setup_response
- SMB2::SessionSetupFlags
- Type:
A flags field that indicates additional information about the session that’s sent in the session_setup response.
For more information, see MS-SMB2:2.2.6
See also:
smb2_session_setup_response
- SMB2::TreeConnectResponse
- Type:
-
- share_type:
count
The type of share being accessed. Physical disk, named pipe, or printer.
- share_type:
The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.
For more information, see MS-SMB2:2.2.9
See also:
smb2_tree_connect_response
- SMB2::Transform_header
- Type:
-
- signature:
string
The 16-byte signature of the encrypted message, generated by using Session.EncryptionKey.
- nonce:
string
An implementation specific value assigned for every encrypted message.
- orig_msg_size:
count
The size, in bytes, of the SMB2 message.
- flags:
count
A flags field, interpreted in different ways depending of the SMB2 dialect.
- session_id:
count
A value that uniquely identifies the established session for the command.
- signature:
An SMB2 transform header (for SMB 3.x dialects with encryption enabled).
For more information, see MS-SMB2:2.2.41
See also:
smb2_transform_header
,smb2_message
,smb2_close_request
,smb2_close_response
,smb2_create_request
,smb2_create_response
,smb2_negotiate_request
,smb2_negotiate_response
,smb2_read_request
,smb2_session_setup_request
,smb2_session_setup_response
,smb2_file_rename
,smb2_file_delete
,smb2_tree_connect_request
,smb2_tree_connect_response
,smb2_write_request
- SMB::MACTimes
- Type:
-
- modified:
time
&log
The time when data was last written to the file.
- modified_raw:
count
Same as modified but in SMB’s original FILETIME integer format.
- accessed:
time
&log
The time when the file was last accessed.
- accessed_raw:
count
Same as accessed but in SMB’s original FILETIME integer format.
- created:
time
&log
The time the file was created.
- created_raw:
count
Same as created but in SMB’s original FILETIME integer format.
- changed:
time
&log
The time when the file was last modified.
- changed_raw:
count
Same as changed but in SMB’s original FILETIME integer format.
- modified:
MAC times for a file.
For more information, see MS-SMB2:2.2.16
See also:
smb1_nt_create_andx_response
,smb2_create_response
- SMB1::Header
- Type:
An SMB1 header.
See also:
smb1_message
,smb1_empty_response
,smb1_error
,smb1_check_directory_request
,smb1_check_directory_response
,smb1_close_request
,smb1_create_directory_request
,smb1_create_directory_response
,smb1_echo_request
,smb1_echo_response
,smb1_negotiate_request
,smb1_negotiate_response
,smb1_nt_cancel_request
,smb1_nt_create_andx_request
,smb1_nt_create_andx_response
,smb1_query_information_request
,smb1_read_andx_request
,smb1_read_andx_response
,smb1_session_setup_andx_request
,smb1_session_setup_andx_response
,smb1_transaction_request
,smb1_transaction2_request
,smb1_trans2_find_first2_request
,smb1_trans2_query_path_info_request
,smb1_trans2_get_dfs_referral_request
,smb1_tree_connect_andx_request
,smb1_tree_connect_andx_response
,smb1_tree_disconnect
,smb1_write_andx_request
,smb1_write_andx_response
- SMB2::Header
- Type:
-
- credit_charge:
count
The number of credits that this request consumes
- status:
count
In a request, this is an indication to the server about the client’s channel change. In a response, this is the status field
- command:
count
The command code of the packet
- credits:
count
The number of credits the client is requesting, or the number of credits granted to the client in a response.
- flags:
count
A flags field, which indicates how to process the operation (e.g. asynchronously)
- message_id:
count
A value that uniquely identifies the message request/response pair across all messages that are sent on the same transport protocol connection
- process_id:
count
A value that uniquely identifies the process that generated the event.
- tree_id:
count
A value that uniquely identifies the tree connect for the command.
- session_id:
count
A value that uniquely identifies the established session for the command.
- signature:
string
The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in the
flags
field.
- credit_charge:
An SMB2 header.
For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2
See also:
smb2_message
,smb2_close_request
,smb2_close_response
,smb2_create_request
,smb2_create_response
,smb2_negotiate_request
,smb2_negotiate_response
,smb2_read_request
,smb2_session_setup_request
,smb2_session_setup_response
,smb2_file_rename
,smb2_file_delete
,smb2_tree_connect_request
,smb2_tree_connect_response
,smb2_write_request
- SMB2::GUID
- Type:
An SMB2 globally unique identifier which identifies a file.
For more information, see MS-SMB2:2.2.14.1
See also:
smb2_close_request
,smb2_create_response
,smb2_read_request
,smb2_file_rename
,smb2_file_delete
,smb2_write_request
- SMB2::FileAttrs
- Type:
-
- read_only:
bool
The file is read only. Applications can read the file but cannot write to it or delete it.
- hidden:
bool
The file is hidden. It is not to be included in an ordinary directory listing.
- system:
bool
The file is part of or is used exclusively by the operating system.
- directory:
bool
The file is a directory.
- archive:
bool
The file has not been archived since it was last modified. Applications use this attribute to mark files for backup or removal.
- normal:
bool
The file has no other attributes set. This attribute is valid only if used alone.
- temporary:
bool
The file is temporary. This is a hint to the cache manager that it does not need to flush the file to backing storage.
- sparse_file:
bool
A file that is a sparse file.
- reparse_point:
bool
A file or directory that has an associated reparse point.
- compressed:
bool
The file or directory is compressed. For a file, this means that all of the data in the file is compressed. For a directory, this means that compression is the default for newly created files and subdirectories.
- offline:
bool
The data in this file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is hierarchical storage management software.
- not_content_indexed:
bool
A file or directory that is not indexed by the content indexing service.
- encrypted:
bool
A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.
- integrity_stream:
bool
A file or directory that is configured with integrity support. For a file, all data streams in the file have integrity support. For a directory, integrity support is the default for newly created files and subdirectories, unless the caller specifies otherwise.
- no_scrub_data:
bool
A file or directory that is configured to be excluded from the data integrity scan.
- read_only:
A series of boolean flags describing basic and extended file attributes for SMB2.
For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6
See also:
smb2_create_response
- SMB2::Fscontrol
- Type:
-
- free_space_start_filtering:
int
minimum amount of free disk space required to begin document filtering
- free_space_threshold:
int
minimum amount of free disk space required to continue filtering documents and merging word lists
- free_space_stop_filtering:
int
minimum amount of free disk space required to continue content filtering
- delete_quota_threshold:
count
default per-user disk quota
- default_quota_limit:
count
default per-user disk limit
- fs_control_flags:
count
file systems control flags passed as unsigned int
- free_space_start_filtering:
A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.
For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.5.2
- SMB2::FileEA
- Type:
This information class is used to query or set extended attribute (EA) information for a file.
For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15
- SMB2::FileEAs
- Type:
A vector of extended attribute (EA) information for a file.
For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15
- SMB2::PreAuthIntegrityCapabilities
- Type:
Preauthentication information as defined in SMB v. 3.1.1
For more information, see MS-SMB2:2.3.1.1
- SMB2::EncryptionCapabilities
-
Encryption information as defined in SMB v. 3.1.1
For more information, see MS-SMB2:2.3.1.2
- SMB2::CompressionCapabilities
- Type:
Compression information as defined in SMB v. 3.1.1
For more information, see MS-SMB2:2.3.1.3
- SMB2::NegotiateContextValue
- Type:
-
- context_type:
count
Specifies the type of context (preauth or encryption).
- data_length:
count
The length in byte of the data field.
- preauth_info:
SMB2::PreAuthIntegrityCapabilities
&optional
The preauthentication information.
- encryption_info:
SMB2::EncryptionCapabilities
&optional
The encryption information.
- compression_info:
SMB2::CompressionCapabilities
&optional
The compression information.
- netname:
string
&optional
Indicates the server name the client must connect to.
- context_type:
The context type information as defined in SMB v. 3.1.1
For more information, see MS-SMB2:2.3.1
Events
- smb1_check_directory_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, directory_name:string
)
Generated for SMB/CIFS version 1 requests of type check directory. This is used by the client to verify that a specified path resolves to a valid directory on the server.
For more information, see MS-CIFS:2.2.4.17
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
directory_name – The directory name to check for existence.
See also:
smb1_message
,smb1_check_directory_response
- smb1_check_directory_response
- Type:
event
(c:connection
, hdr:SMB1::Header
)
Generated for SMB/CIFS version 1 responses of type check directory. This is the server response to the check directory request.
For more information, see MS-CIFS:2.2.4.17
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
See also:
smb1_message
,smb1_check_directory_request
- smb1_close_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, file_id:count
)
Generated for SMB/CIFS version 1 requests of type close. This is used by the client to close an instance of an object associated with a valid file ID.
For more information, see MS-CIFS:2.2.4.5
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
file_id – The file identifier being closed.
See also:
smb1_message
- smb1_create_directory_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, directory_name:string
)
Generated for SMB/CIFS version 1 requests of type create directory. This is a deprecated command which has been replaced by the trans2_create_directory subcommand. This is used by the client to create a new directory on the server, relative to a connected share.
For more information, see MS-CIFS:2.2.4.1
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
directory_name – The name of the directory to create.
See also:
smb1_message
,smb1_create_directory_response
,smb1_transaction2_request
- smb1_create_directory_response
- Type:
event
(c:connection
, hdr:SMB1::Header
)
Generated for SMB/CIFS version 1 responses of type create directory. This is a deprecated command which has been replaced by the trans2_create_directory subcommand. This is the server response to the create directory request.
For more information, see MS-CIFS:2.2.4.1
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
See also:
smb1_message
,smb1_create_directory_request
,smb1_transaction2_request
- smb1_echo_request
- Type:
event
(c:connection
, echo_count:count
, data:string
)
Generated for SMB/CIFS version 1 requests of type echo. This is sent by the client to test the transport layer connection with the server.
For more information, see MS-CIFS:2.2.4.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
echo_count – The number of times the server should echo the data back.
data – The data for the server to echo.
See also:
smb1_message
,smb1_echo_response
- smb1_echo_response
- Type:
event
(c:connection
, seq_num:count
, data:string
)
Generated for SMB/CIFS version 1 responses of type echo. This is the server response to the echo request.
For more information, see MS-CIFS:2.2.4.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
seq_num – The sequence number of this echo reply.
data – The data echoed back from the client.
See also:
smb1_message
,smb1_echo_request
- smb1_logoff_andx
- Type:
event
(c:connection
, is_orig:bool
)
Generated for SMB/CIFS version 1 requests of type logoff andx. This is used by the client to logoff the user connection represented by UID in the SMB Header. The server releases all locks and closes all files currently open by this user, disconnects all tree connects, cancels any outstanding requests for this UID, and invalidates the UID.
For more information, see MS-CIFS:2.2.4.54
- Parameters:
c – The connection.
is_orig – Indicates which host sent the logoff message.
See also:
smb1_message
- smb1_negotiate_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, dialects:string_vec
)
Generated for SMB/CIFS version 1 requests of type negotiate. This is sent by the client to initiate an SMB connection between the client and the server. A negotiate exchange MUST be completed before any other SMB messages are sent to the server.
For more information, see MS-CIFS:2.2.4.52
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
dialects – The SMB dialects supported by the client.
See also:
smb1_message
,smb1_negotiate_response
- smb1_negotiate_response
- Type:
event
(c:connection
, hdr:SMB1::Header
, response:SMB1::NegotiateResponse
)
Generated for SMB/CIFS version 1 responses of type negotiate. This is the server response to the negotiate request.
For more information, see MS-CIFS:2.2.4.52
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
response – A record structure containing more information from the response.
See also:
smb1_message
,smb1_negotiate_request
- smb1_nt_create_andx_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, file_name:string
)
Generated for SMB/CIFS version 1 requests of type nt create andx. This is sent by the client to create and open a new file, or to open an existing file, or to open and truncate an existing file to zero length, or to create a directory, or to create a connection to a named pipe.
For more information, see MS-CIFS:2.2.4.64
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
name – The
name
attribute specified in the message.
See also:
smb1_message
,smb1_nt_create_andx_response
- smb1_nt_create_andx_response
- Type:
event
(c:connection
, hdr:SMB1::Header
, file_id:count
, file_size:count
, times:SMB::MACTimes
)
Generated for SMB/CIFS version 1 responses of type nt create andx. This is the server response to the nt create andx request.
For more information, see MS-CIFS:2.2.4.64
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
file_id – The SMB2 GUID for the file.
file_size – Size of the file.
times – Timestamps associated with the file in question.
See also:
smb1_message
,smb1_nt_create_andx_request
- smb1_nt_cancel_request
- Type:
event
(c:connection
, hdr:SMB1::Header
)
Generated for SMB/CIFS version 1 requests of type nt cancel. This is sent by the client to request that a currently pending request be cancelled.
For more information, see MS-CIFS:2.2.4.65
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
See also:
smb1_message
- smb1_query_information_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, filename:string
)
Generated for SMB/CIFS version 1 requests of type query information. This is a deprecated command which has been replaced by the trans2_query_path_information subcommand. This is used by the client to obtain attribute information about a file.
For more information, see MS-CIFS:2.2.4.9
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
filename – The filename that the client is querying.
See also:
smb1_message
,smb1_transaction2_request
- smb1_read_andx_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, file_id:count
, offset:count
, length:count
)
Generated for SMB/CIFS version 1 requests of type read andx. This is sent by the client to read bytes from a regular file, a named pipe, or a directly accessible device such as a serial port (COM) or printer port (LPT).
For more information, see MS-CIFS:2.2.4.42
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
file_id – The file identifier being written to.
offset – The byte offset the requested read begins at.
length – The number of bytes being requested.
See also:
smb1_message
,smb1_read_andx_response
- smb1_read_andx_response
- Type:
event
(c:connection
, hdr:SMB1::Header
, data_len:count
)
Generated for SMB/CIFS version 1 responses of type read andx. This is the server response to the read andx request.
For more information, see MS-CIFS:2.2.4.42
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
data_len – The length of data from the requested file.
See also:
smb1_message
,smb1_read_andx_request
- smb1_session_setup_andx_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, request:SMB1::SessionSetupAndXRequest
)
Generated for SMB/CIFS version 1 requests of type setup andx. This is sent by the client to configure an SMB session.
For more information, see MS-CIFS:2.2.4.53
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
request – The parsed request data of the SMB message. See init-bare for more details.
See also:
smb1_message
,smb1_session_setup_andx_response
- smb1_session_setup_andx_response
- Type:
event
(c:connection
, hdr:SMB1::Header
, response:SMB1::SessionSetupAndXResponse
)
Generated for SMB/CIFS version 1 responses of type setup andx. This is the server response to the setup andx request.
For more information, see MS-CIFS:2.2.4.53
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
response – The parsed response data of the SMB message. See init-bare for more details.
See also:
smb1_message
,smb1_session_setup_andx_request
- smb1_transaction_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, name:string
, sub_cmd:count
, parameters:string
, data:string
)
Generated for SMB/CIFS version 1 requests of type transaction. This command serves as the transport for the Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, which are interprocess communication endpoints within the CIFS file system.
For more information, see MS-CIFS:2.2.4.33.1
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
name – A name string that MAY identify the resource (a specific Mailslot or Named Pipe) against which the operation is performed.
sub_cmd – The sub command, some may be parsed and have their own events.
parameters – content of the SMB_Data.Trans_Parameters field
data – content of the SMB_Data.Trans_Data field
See also:
smb1_message
,smb1_transaction2_request
- smb1_transaction_response
- Type:
event
(c:connection
, hdr:SMB1::Header
, parameters:string
, data:string
)
Generated for SMB/CIFS version 1 requests of type transaction. This command serves as the transport for the Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, which are interprocess communication endpoints within the CIFS file system.
For more information, see MS-CIFS:2.2.4.33.2
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
parameters – content of the SMB_Data.Trans_Parameters field
data – content of the SMB_Data.Trans_Data field
- smb1_transaction_secondary_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, args:SMB1::Trans_Sec_Args
, parameters:string
, data:string
)
Generated for SMB/CIFS version 1 requests of type transaction_secondary. This command serves as an additional request data container for the Transaction Subprotocol Commands (carried by transaction requests).
For more information, see MS-CIFS:2.2.4.34
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
parameters – the SMB_Data.Trans_Parameters field content
data – the SMB_Data.Trans_Data field content
- smb1_transaction2_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, args:SMB1::Trans2_Args
, sub_cmd:count
)
Generated for SMB/CIFS version 1 requests of type transaction2. This command serves as the transport for the Transaction2 Subprotocol Commands. These commands operate on mailslots and named pipes, which are interprocess communication endpoints within the CIFS file system. Compared to the Transaction Subprotocol Commands, these commands allow clients to set and retrieve Extended Attribute key/value pairs, make use of long file names (longer than the original 8.3 format names), and perform directory searches, among other tasks.
For more information, see MS-CIFS:2.2.4.46
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
sub_cmd – The sub command, some are parsed and have their own events.
See also:
smb1_message
,smb1_trans2_find_first2_request
,smb1_trans2_query_path_info_request
,smb1_trans2_get_dfs_referral_request
,smb1_transaction_request
- smb1_trans2_find_first2_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, args:SMB1::Find_First2_Request_Args
)
Generated for SMB/CIFS version 1 transaction2 requests of subtype find first2. This transaction is used to begin a search for file(s) within a directory or for a directory
For more information, see MS-CIFS:2.2.6.2
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
args – A record data structure with arguments given to the command.
See also:
smb1_message
,smb1_transaction2_request
,smb1_trans2_query_path_info_request
,smb1_trans2_get_dfs_referral_request
- smb1_trans2_query_path_info_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, file_name:string
)
Generated for SMB/CIFS version 1 transaction2 requests of subtype query path info. This transaction is used to get information about a specific file or directory.
For more information, see MS-CIFS:2.2.6.6
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
file_name – File name the request is in reference to.
See also:
smb1_message
,smb1_transaction2_request
,smb1_trans2_find_first2_request
,smb1_trans2_get_dfs_referral_request
- smb1_trans2_get_dfs_referral_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, file_name:string
)
Generated for SMB/CIFS version 1 transaction2 requests of subtype get DFS referral. This transaction is used to request a referral for a disk object in DFS.
For more information, see MS-CIFS:2.2.6.16
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
file_name – File name the request is in reference to.
See also:
smb1_message
,smb1_transaction2_request
,smb1_trans2_find_first2_request
,smb1_trans2_query_path_info_request
- smb1_transaction2_secondary_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, args:SMB1::Trans2_Sec_Args
, parameters:string
, data:string
)
Generated for SMB/CIFS version 1 requests of type transaction2 secondary.
For more information, see MS-CIFS:2.2.4.47.1
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
args – arguments of the message (SMB_Parameters.Words)
parameters – content of the SMB_Data.Trans_Parameters field
data – content of the SMB_Data.Trans_Data field
- smb1_tree_connect_andx_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, path:string
, service:string
)
Generated for SMB/CIFS version 1 requests of type tree connect andx. This is sent by the client to establish a connection to a server share.
For more information, see MS-CIFS:2.2.4.55
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
path – The
path
attribute specified in the message.service – The
service
attribute specified in the message.
See also:
smb1_message
,smb1_tree_connect_andx_response
- smb1_tree_connect_andx_response
- Type:
event
(c:connection
, hdr:SMB1::Header
, service:string
, native_file_system:string
)
Generated for SMB/CIFS version 1 responses of type tree connect andx. This is the server reply to the tree connect andx request.
For more information, see MS-CIFS:2.2.4.55
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
service – The
service
attribute specified in the message.native_file_system – The file system of the remote server as indicate by the server.
See also:
smb1_message
,smb1_tree_connect_andx_request
- smb1_tree_disconnect
- Type:
event
(c:connection
, hdr:SMB1::Header
, is_orig:bool
)
Generated for SMB/CIFS version 1 requests of type tree disconnect. This is sent by the client to logically disconnect client access to a server resource.
For more information, see MS-CIFS:2.2.4.51
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
is_orig – True if the message was from the originator.
See also:
smb1_message
- smb1_write_andx_request
- Type:
event
(c:connection
, hdr:SMB1::Header
, file_id:count
, offset:count
, data_len:count
)
Generated for SMB/CIFS version 1 requests of type write andx. This is sent by the client to write bytes to a regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM) or printer port (LPT).
For more information, see MS-CIFS:2.2.4.43
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
offset – The byte offset into the referenced file data is being written.
data – The data being written.
See also:
smb1_message
,smb1_write_andx_response
- smb1_write_andx_response
- Type:
event
(c:connection
, hdr:SMB1::Header
, written_bytes:count
)
Generated for SMB/CIFS version 1 responses of type write andx. This is the server response to the write andx request.
For more information, see MS-CIFS:2.2.4.43
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
written_bytes – The number of bytes the server reported having actually written.
See also:
smb1_message
,smb1_write_andx_request
- smb1_message
- Type:
event
(c:connection
, hdr:SMB1::Header
, is_orig:bool
)
Generated for all SMB/CIFS version 1 messages.
See Wikipedia for more information about the SMB/CIFS protocol. Zeek’s SMB/CIFS analyzer parses both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 1 message.
is_orig – True if the message was sent by the originator of the underlying transport-level connection.
See also:
smb2_message
- smb1_empty_response
- Type:
event
(c:connection
, hdr:SMB1::Header
)
Generated when there is an SMB version 1 response with no message body.
- Parameters:
c – The connection.
hdr – The parsed header of the SMB message.
See also:
smb1_message
- smb1_error
- Type:
event
(c:connection
, hdr:SMB1::Header
, is_orig:bool
)
Generated for SMB version 1 messages that indicate an error. This event is triggered by an SMB header including a status that signals an error.
- Parameters:
c – The connection.
hdr – The parsed header of the SMB message.
is_orig – True if the message was sent by the originator of the underlying transport-level connection.
See also:
smb1_message
- smb2_close_request
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
)
Generated for SMB/CIFS version 2 requests of type close. This is used by the client to close an instance of a file that was opened previously with a successful SMB2 CREATE Request.
For more information, see MS-SMB2:2.2.15
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_name – The SMB2 GUID of the file being closed.
See also:
smb2_message
,smb2_close_response
- smb2_close_response
- Type:
event
(c:connection
, hdr:SMB2::Header
, response:SMB2::CloseResponse
)
Generated for SMB/CIFS version 2 responses of type close. This is sent by the server to indicate that an SMB2 CLOSE request was processed successfully.
For more information, see MS-SMB2:2.2.16
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
response – A record of attributes returned from the server from the close.
See also:
smb2_message
,smb2_close_request
- smb2_create_request
- Type:
event
(c:connection
, hdr:SMB2::Header
, request:SMB2::CreateRequest
)
Generated for SMB/CIFS version 2 requests of type create. This is sent by the client to request either creation of or access to a file.
For more information, see MS-SMB2:2.2.13
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
request – A record with more information related to the request.
See also:
smb2_message
,smb2_create_response
- smb2_create_response
- Type:
event
(c:connection
, hdr:SMB2::Header
, response:SMB2::CreateResponse
)
Generated for SMB/CIFS version 2 responses of type create. This is sent by the server to notify the client of the status of its SMB2 CREATE request.
For more information, see MS-SMB2:2.2.14
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
response – A record with more information related to the response.
See also:
smb2_message
,smb2_create_request
- smb2_negotiate_request
- Type:
event
(c:connection
, hdr:SMB2::Header
, dialects:index_vec
)
Generated for SMB/CIFS version 2 requests of type negotiate. This is used by the client to notify the server what dialects of the SMB2 Protocol the client understands.
For more information, see MS-SMB2:2.2.3
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
dialects – A vector of the client’s supported dialects.
See also:
smb2_message
,smb2_negotiate_response
- smb2_negotiate_response
- Type:
event
(c:connection
, hdr:SMB2::Header
, response:SMB2::NegotiateResponse
)
Generated for SMB/CIFS version 2 responses of type negotiate. This is sent by the server to notify the client of the preferred common dialect.
For more information, see MS-SMB2:2.2.4
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
response – The negotiate response data structure.
See also:
smb2_message
,smb2_negotiate_request
- smb2_read_request
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, offset:count
, length:count
)
Generated for SMB/CIFS version 2 requests of type read. This is sent by the client to request a read operation on the specified file.
For more information, see MS-SMB2:2.2.19
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The GUID being used for the file.
offset – How far into the file this read should be taking place.
length – The number of bytes of the file being read.
See also:
smb2_message
- smb2_session_setup_request
- Type:
event
(c:connection
, hdr:SMB2::Header
, request:SMB2::SessionSetupRequest
)
Generated for SMB/CIFS version 2 requests of type session_setup. This is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
For more information, see MS-SMB2:2.2.5
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
request – A record containing more information related to the request.
See also:
smb2_message
,smb2_session_setup_response
- smb2_session_setup_response
- Type:
event
(c:connection
, hdr:SMB2::Header
, response:SMB2::SessionSetupResponse
)
Generated for SMB/CIFS version 2 responses of type session_setup. This is sent by the server in response to a session_setup request.
For more information, see MS-SMB2:2.2.6
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
response – A record containing more information related to the response.
See also:
smb2_message
,smb2_session_setup_request
- smb2_file_rename
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, dst_filename:string
)
Generated for SMB/CIFS version 2 requests of type set_info of the rename subtype.
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – A GUID to identify the file.
dst_filename – The filename to rename the file into.
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_delete
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, delete_pending:bool
)
Generated for SMB/CIFS version 2 requests of type set_info of the delete subtype.
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
delete_pending – A boolean value to indicate that a file should be deleted when it’s closed if set to T.
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_sattr
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, times:SMB::MACTimes
, attrs:SMB2::FileAttrs
)
Generated for SMB/CIFS version 2 requests of type set_info of the file subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
times – Timestamps associated with the file in question.
attrs – File attributes.
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_allocation
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, alloc_size:int
)
Generated for SMB/CIFS version 2 requests of type set_info of the allocation subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
alloc_size – desired allocation size.
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_endoffile
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, end_of_file:int
)
Generated for SMB/CIFS version 2 requests of type set_info of the end_of_file subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
end_of_file – the absolute new end of file position as a byte offset from the start of the file
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_mode
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, mode:count
)
Generated for SMB/CIFS version 2 requests of type set_info of the mode subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
mode – specifies how the file will subsequently be accessed.
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_pipe
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, read_mode:count
, completion_mode:count
)
Generated for SMB/CIFS version 2 requests of type set_info of the pipe subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
read_mode – specifies if data must be read as a stream of bytes or messages
completion_mode – specifies if blocking mode must be enabled or not
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_position
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, current_byte_offset:int
)
Generated for SMB/CIFS version 2 requests of type set_info of the position subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
current_byte_offset – specifies the offset, in bytes, of the file pointer from the beginning of the file
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_shortname
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, file_name:string
)
Generated for SMB/CIFS version 2 requests of type set_info of the short_name subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
file_name – specifies the name of the file to be changed
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_validdatalength
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, valid_data_length:int
)
Generated for SMB/CIFS version 2 requests of type set_info of the valid_data_length subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
valid_data_length – specifies the new valid data length for the file
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_fullea
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, file_eas:SMB2::FileEAs
)
Generated for SMB/CIFS version 2 requests of type set_info of the full_EA subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
FileEAs – a vector of extended file attributes as defined in MS-FSCC:2.4.15
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_link
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, root_directory:count
, file_name:string
)
Generated for SMB/CIFS version 2 requests of type set_info of the link subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
root_directory – contains the file handle for the directory where the link is to be created
file_name – contains the name to be assigned to the newly created link
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_fscontrol
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, fs_control:SMB2::Fscontrol
)
Generated for SMB/CIFS version 2 requests of type set_info of the fs_control subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
fs_control – contains fs_control info (see MS-FCC 2.5.2)
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
,smb2_file_fsobjectid
- smb2_file_fsobjectid
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, object_id:SMB2::GUID
, extended_info:string
)
Generated for SMB/CIFS version 2 requests of type set_info of the fs_object_id subtype
For more information, see MS-SMB2:2.2.39
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The SMB2 GUID for the file.
object_id – contains a 16-bytes GUID that identifies the file system volume (see MS-FCC 2.5.6)
extended_info – contains extended information on the file system volume
See also:
smb2_message
,smb2_file_delete
,smb2_file_sattr
,smb2_file_allocation
,smb2_file_endoffile
,smb2_file_mode
,smb2_file_pipe
,smb2_file_position
,smb2_file_shortname
,smb2_file_validdatalength
,smb2_file_fullea
,smb2_file_link
- smb2_tree_connect_request
- Type:
event
(c:connection
, hdr:SMB2::Header
, path:string
)
Generated for SMB/CIFS version 2 requests of type tree_connect. This is sent by a client to request access to a particular share on the server.
For more information, see MS-SMB2:2.2.9
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
path – Path of the requested tree.
See also:
smb2_message
,smb2_tree_connect_response
- smb2_tree_connect_response
- Type:
event
(c:connection
, hdr:SMB2::Header
, response:SMB2::TreeConnectResponse
)
Generated for SMB/CIFS version 2 responses of type tree_connect. This is sent by the server when a tree_connect request is successfully processed by the server.
For more information, see MS-SMB2:2.2.10
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
response – A record with more information related to the response.
See also:
smb2_message
,smb2_tree_connect_request
- smb2_tree_disconnect_request
- Type:
event
(c:connection
, hdr:SMB2::Header
)
Generated for SMB/CIFS version 2 requests of type tree disconnect. This is sent by the client to logically disconnect client access to a server resource.
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
See also:
smb2_message
- smb2_tree_disconnect_response
- Type:
event
(c:connection
, hdr:SMB2::Header
)
Generated for SMB/CIFS version 2 requests of type tree disconnect. This is sent by the server to logically disconnect client access to a server resource.
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
See also:
smb2_message
- smb2_write_request
- Type:
event
(c:connection
, hdr:SMB2::Header
, file_id:SMB2::GUID
, offset:count
, length:count
)
Generated for SMB/CIFS version 2 requests of type write. This is sent by the client to write data to the file or named pipe on the server.
For more information, see MS-SMB2:2.2.21
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
file_id – The GUID being used for the file.
offset – How far into the file this write should be taking place.
length – The number of bytes of the file being written.
See also:
smb2_message
- smb2_write_response
- Type:
event
(c:connection
, hdr:SMB2::Header
, length:count
)
Generated for SMB/CIFS version 2 requests of type write. This is sent by the server in response to a write request or named pipe on the server.
For more information, see MS-SMB2:2.2.22
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
length – The number of bytes of the file being written.
See also:
smb2_message
- smb2_transform_header
- Type:
event
(c:connection
, hdr:SMB2::Transform_header
)
Generated for SMB/CIFS version 3.x transform_header. This is used by the client or server when sending encrypted messages.
For more information, see MS-SMB2:2.2.41
- Parameters:
c – The connection.
hdr – The parsed transformed header message, which is starting with xfdSMB and different from SMB1 and SMB2 headers.
See also:
smb2_message
- smb2_message
- Type:
event
(c:connection
, hdr:SMB2::Header
, is_orig:bool
)
Generated for SMB/CIFS version 2 messages.
See Wikipedia for more information about the SMB/CIFS protocol. Zeek’s SMB/CIFS analyzer parses both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
- Parameters:
c – The connection.
hdr – The parsed header of the SMB version 2 message.
is_orig – True if the message came from the originator side.
See also:
smb1_message
- smb2_discarded_messages_state
- Type:
event
(c:connection
, state:string
)
Generated for SMB/CIFS version 2 connections for which pending read, ioctl or tree requests exceeds the
SMB::max_pending_messages
setting. This event indicates either traffic loss, traffic load-balancing issues, or failures to parse or match SMB responses with SMB requests. When this event is raised, internal per-connection parser state has been reset.- Parameters:
c – The affected connection.
state – String describing what kind of state was affected. One of read, ioctl or tree.
- smb_pipe_connect_heuristic
- Type:
event
(c:connection
)
Generated for SMB connections when a named pipe has been detected heuristically. The case when this comes up is when the drive mapping isn’t seen so the analyzer is not able to determine whether to send the data to the files framework or to the DCE_RPC analyzer. This heuristic can be tuned by adding or removing “named pipe” names from the
SMB::pipe_filenames
const.- Parameters:
c – The connection.
- smb_discarded_dce_rpc_analyzers
- Type:
event
(c:connection
)
Generated for SMB when the number of DCE-RPC analyzers exceeds
SMB::max_dce_rpc_analyzers
. Occurrence of this event may indicate traffic loss, traffic load-balancing issues or abnormal SMB protocol usage.- Parameters:
c – The connection.
Zeek::SMTP
SMTP analyzer
Components
Options/Constants
- SMTP::bdat_max_line_length
-
The maximum line length within a BDAT chunk before a forceful linebreak is introduced and a weird is raised. Conventionally, MIME messages have a maximum line length of 1000 octets when properly encoded.
Events
- smtp_request
- Type:
event
(c:connection
, is_orig:bool
, command:string
, arg:string
)
Generated for client-side SMTP commands.
See Wikipedia for more information about the SMTP protocol.
- Parameters:
c – The connection.
is_orig – True if the sender of the command is the originator of the TCP connection. Note that this is not redundant: the SMTP
TURN
command allows client and server to flip roles on established SMTP sessions, and hence a “request” might still come from the TCP-level responder. In practice, however, that will rarely happen as TURN is considered insecure and rarely used.command – The request’s command, without any arguments.
arg – The request command’s arguments.
See also:
mime_all_data
,mime_all_headers
,mime_begin_entity
,mime_content_hash
,mime_end_entity
,mime_entity_data
,mime_event
,mime_one_header
,mime_segment_data
,smtp_data
,smtp_reply
Note
Zeek does not support the newer ETRN extension yet.
- smtp_reply
-
Generated for server-side SMTP commands.
See Wikipedia for more information about the SMTP protocol.
- Parameters:
c – The connection.
is_orig – True if the sender of the command is the originator of the TCP connection. Note that this is not redundant: the SMTP
TURN
command allows client and server to flip roles on established SMTP sessions, and hence a “reply” might still come from the TCP-level originator. In practice, however, that will rarely happen as TURN is considered insecure and rarely used.code – The reply’s numerical code.
cmd – TODO.
msg – The reply’s textual description.
cont_resp – True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.
See also:
mime_all_data
,mime_all_headers
,mime_begin_entity
,mime_content_hash
,mime_end_entity
,mime_entity_data
,mime_event
,mime_one_header
,mime_segment_data
,smtp_data
,smtp_request
Note
Zeek doesn’t support the newer ETRN extension yet.
- smtp_data
- Type:
event
(c:connection
, is_orig:bool
, data:string
)
Generated for DATA transmitted on SMTP sessions. This event is raised for subsequent chunks of raw data following the
DATA
SMTP command until the corresponding end marker.
is seen. A handler may want to reassemble the pieces as they come in if stream-analysis is required.See Wikipedia for more information about the SMTP protocol.
- Parameters:
c – The connection.
is_orig – True if the sender of the data is the originator of the TCP connection.
data – The raw data. Note that the size of each chunk is undefined and depends on specifics of the underlying TCP connection.
See also:
mime_all_data
,mime_all_headers
,mime_begin_entity
,mime_content_hash
,mime_end_entity
,mime_entity_data
,mime_event
,mime_one_header
,mime_segment_data
,smtp_reply
,smtp_request
,skip_smtp_data
Note
This event receives the unprocessed raw data. There is a separate set of
mime_*
events that strip out the outer MIME-layer of emails and provide structured access to their content.
- smtp_unexpected
- Type:
event
(c:connection
, is_orig:bool
, msg:string
, detail:string
)
Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks the state of SMTP sessions and reports commands and other activity with this event that it sees even though it would not expect so at the current point of the communication.
See Wikipedia for more information about the SMTP protocol.
- Parameters:
c – The connection.
is_orig – True if the sender of the unexpected activity is the originator of the TCP connection.
msg – A descriptive message of what was unexpected.
detail – The actual SMTP line triggering the event.
See also:
smtp_data
,smtp_request
,smtp_reply
- smtp_starttls
- Type:
event
(c:connection
)
Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS. After this event no more SMTP events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.
- Parameters:
c – The connection.
Functions
- skip_smtp_data
- Type:
function
(c:connection
) :any
Skips SMTP data until the next email in a connection.
- Parameters:
c – The SMTP connection.
See also:
skip_http_entity_data
Zeek::SNMP
SNMP analyzer
Components
Types
- SNMP::Header
- Type:
-
version:
count
- v1:
SNMP::HeaderV1
&optional
Set when
version
is 0.- v2:
SNMP::HeaderV2
&optional
Set when
version
is 1.- v3:
SNMP::HeaderV3
&optional
Set when
version
is 3.
- v1:
A generic SNMP header data structure that may include data from any version of SNMP. The value of the
version
field determines what header field is initialized.
- SNMP::HeaderV1
-
The top-level message data structure of an SNMPv1 datagram, not including the PDU data. See RFC 1157.
- SNMP::HeaderV2
-
The top-level message data structure of an SNMPv2 datagram, not including the PDU data. See RFC 1901.
- SNMP::HeaderV3
- Type:
-
id:
count
max_size:
count
flags:
count
auth_flag:
bool
priv_flag:
bool
reportable_flag:
bool
security_model:
count
security_params:
string
pdu_context:
SNMP::ScopedPDU_Context
&optional
The top-level message data structure of an SNMPv3 datagram, not including the PDU data. See RFC 3412.
- SNMP::TrapPDU
- Type:
-
enterprise:
string
agent:
addr
generic_trap:
int
specific_trap:
int
time_stamp:
count
bindings:
SNMP::Bindings
A
Trap-PDU
data structure from RFC 1157.
- SNMP::BulkPDU
- Type:
-
request_id:
int
non_repeaters:
count
max_repetitions:
count
bindings:
SNMP::Bindings
A
BulkPDU
data structure from RFC 3416.
- SNMP::ScopedPDU_Context
-
The
ScopedPduData
data structure of an SNMPv3 datagram, not including the PDU data (i.e. just the “context” fields). See RFC 3412.
- SNMP::ObjectValue
- Type:
-
tag:
count
A generic SNMP object value, that may include any of the valid
ObjectSyntax
values from RFC 1155 or RFC 3416. The value is decoded whenever possible and assigned to the appropriate field, which can be determined from the value of thetag
field. For tags that can’t be mapped to an appropriate type, theoctets
field holds the BER encoded ASN.1 content if there is any (though,octets
is may also be used for other tags such as OCTET STRINGS or Opaque). Null values will only have their corresponding tag value set.
- SNMP::Binding
- Type:
-
oid:
string
value:
SNMP::ObjectValue
The
VarBind
data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.
- SNMP::Bindings
- Type:
A
VarBindList
data structure from either RFC 1157 or RFC 3416. A sequences ofSNMP::Binding
, which maps an OIDs to values.
Events
- snmp_get_request
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
, pdu:SNMP::PDU
)
An SNMP
GetRequest-PDU
message from either RFC 1157 or RFC 3416.- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
pdu – An SNMP PDU data structure.
- snmp_get_next_request
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
, pdu:SNMP::PDU
)
An SNMP
GetNextRequest-PDU
message from either RFC 1157 or RFC 3416.- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
pdu – An SNMP PDU data structure.
- snmp_response
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
, pdu:SNMP::PDU
)
An SNMP
GetResponse-PDU
message from RFC 1157 or aResponse-PDU
from RFC 3416.- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
pdu – An SNMP PDU data structure.
- snmp_set_request
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
, pdu:SNMP::PDU
)
An SNMP
SetRequest-PDU
message from either RFC 1157 or RFC 3416.- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
pdu – An SNMP PDU data structure.
- snmp_trap
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
, pdu:SNMP::TrapPDU
)
An SNMP
Trap-PDU
message from RFC 1157.- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
pdu – An SNMP PDU data structure.
- snmp_get_bulk_request
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
, pdu:SNMP::BulkPDU
)
An SNMP
GetBulkRequest-PDU
message from RFC 3416.- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
pdu – An SNMP PDU data structure.
- snmp_inform_request
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
, pdu:SNMP::PDU
)
An SNMP
InformRequest-PDU
message from RFC 3416.- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
pdu – An SNMP PDU data structure.
- snmp_trapV2
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
, pdu:SNMP::PDU
)
An SNMP
SNMPv2-Trap-PDU
message from RFC 1157.- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
pdu – An SNMP PDU data structure.
- snmp_report
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
, pdu:SNMP::PDU
)
An SNMP
Report-PDU
message from RFC 3416.- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
pdu – An SNMP PDU data structure.
- snmp_unknown_pdu
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
, tag:count
)
An SNMP PDU message of unknown type.
- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
tag – The tag of the unknown SNMP PDU.
- snmp_unknown_scoped_pdu
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
, tag:count
)
An SNMPv3
ScopedPDUData
of unknown type (neither plaintext or an encrypted PDU was in the datagram).- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
tag – The tag of the unknown SNMP PDU scope.
- snmp_encrypted_pdu
- Type:
event
(c:connection
, is_orig:bool
, header:SNMP::Header
)
An SNMPv3 encrypted PDU message.
- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
header – SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.
- snmp_unknown_header_version
- Type:
event
(c:connection
, is_orig:bool
, version:count
)
A datagram with an unknown SNMP version.
- Parameters:
c – The connection over which the SNMP datagram is sent.
is_orig – The endpoint which sent the SNMP datagram.
version – The value of the unknown SNMP version.
Zeek::SOCKS
SOCKS analyzer
Components
Events
- socks_request
- Type:
event
(c:connection
, version:count
, request_type:count
, sa:SOCKS::Address
, p:port
, user:string
)
Generated when a SOCKS request is analyzed.
- Parameters:
c – The parent connection of the proxy.
version – The version of SOCKS this message used.
request_type – The type of the request.
sa – Address that the tunneled traffic should be sent to.
p – The destination port for the proxied traffic.
user – Username given for the SOCKS connection. This is not yet implemented for SOCKSv5.
- socks_reply
- Type:
event
(c:connection
, version:count
, reply:count
, sa:SOCKS::Address
, p:port
)
Generated when a SOCKS reply is analyzed.
- Parameters:
c – The parent connection of the proxy.
version – The version of SOCKS this message used.
reply – The status reply from the server.
sa – The address that the server sent the traffic to.
p – The destination port for the proxied traffic.
- socks_login_userpass_request
- Type:
event
(c:connection
, user:string
, password:string
)
Generated when a SOCKS client performs username and password based login.
- Parameters:
c – The parent connection of the proxy.
user – The given username.
password – The given password.
- socks_login_userpass_reply
- Type:
event
(c:connection
, code:count
)
Generated when a SOCKS server replies to a username/password login attempt.
- Parameters:
c – The parent connection of the proxy.
code – The response code for the attempted login.
Zeek::Spicy
Support for Spicy parsers (.hlto)
Zeek::SSH
Secure Shell analyzer
Components
Types
- SSH::Algorithm_Prefs
- Type:
The client and server each have some preferences for the algorithms used in each direction.
- SSH::Capabilities
- Type:
-
- kex_algorithms:
string_vec
Key exchange algorithms
- server_host_key_algorithms:
string_vec
The algorithms supported for the server host key
- encryption_algorithms:
SSH::Algorithm_Prefs
Symmetric encryption algorithm preferences
- mac_algorithms:
SSH::Algorithm_Prefs
Symmetric MAC algorithm preferences
- compression_algorithms:
SSH::Algorithm_Prefs
Compression algorithm preferences
- languages:
SSH::Algorithm_Prefs
&optional
Language preferences
- is_server:
bool
Are these the capabilities of the server?
- kex_algorithms:
This record lists the preferences of an SSH endpoint for algorithm selection. During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. See RFC 4253#section-7.1 for details.
Events
- ssh_server_version
- Type:
event
(c:connection
, version:string
)
An SSH Protocol Version Exchange message from the server. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.
- Parameters:
c – The connection over which the message was sent.
version – The identification string
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
,ssh_server_pre_banner_data
- ssh_client_version
- Type:
event
(c:connection
, version:string
)
An SSH Protocol Version Exchange message from the client. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.
- Parameters:
c – The connection over which the message was sent.
version – The identification string
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh_auth_successful
- Type:
event
(c:connection
, auth_method_none:bool
)
This event is generated when an SSH connection was determined to have had a successful authentication. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the authentication success, this event is not raised.
- Parameters:
c – The connection over which the SSH connection took place.
auth_method_none – This is true if the analyzer detected a successful connection before any authentication challenge. The SSH protocol provides a mechanism for unauthenticated access, which some servers support.
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh_auth_attempted
- Type:
event
(c:connection
, authenticated:bool
)
This event is generated when an SSH connection was determined to have had an authentication attempt. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about whether or not an authentication attempt occurred, this event is not raised.
At this point in the protocol, all we can determine is whether or not the user is authenticated. We don’t know if the particular attempt succeeded or failed, since some servers require multiple authentications (e.g. require both a password AND a pubkey), and could return an authentication failed message which is marked as a partial success.
This event will often be raised multiple times per connection. In almost all connections, it will be raised once unless
- Parameters:
c – The connection over which the SSH connection took place.
authenticated – This is true if the analyzer detected a successful connection from the authentication attempt.
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh_capabilities
- Type:
event
(c:connection
, cookie:string
, capabilities:SSH::Capabilities
)
During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. This event is generated for each endpoint, when the SSH_MSG_KEXINIT message is seen. See RFC 4253#section-7.1 for details.
- Parameters:
c – The connection over which the SSH connection took place.
cookie – The SSH_MSG_KEXINIT cookie - a random value generated by the sender.
capabilities – The list of algorithms and languages that the sender advertises support for, in order of preference.
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh2_server_host_key
- Type:
event
(c:connection
, key:string
)
During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH2.
- Parameters:
c – The connection over which the SSH connection took place.
key – The server’s public host key. Note that this is the public key itself, and not just the fingerprint or hash.
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh1_server_host_key
- Type:
event
(c:connection
, modulus:string
, exponent:string
)
During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1.
- Parameters:
c – The connection over which the SSH connection took place.
p – The exponent for the server’s public host key (note this parameter is truly the exponent even though named p and the exponent parameter will eventually replace it).
e – The prime modulus for the server’s public host key (note this parameter is truly the modulus even though named e and the modulus parameter will eventually replace it).
modulus – The prime modulus of the server’s public host key.
exponent – The exponent of the server’s public host key.
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh_server_host_key
- Type:
event
(c:connection
, hash:string
)
During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1 or SSH2 and provides a fingerprint of the server’s host key.
- Parameters:
c – The connection over which the SSH connection took place.
hash – an MD5 hash fingerprint associated with the server’s host key. For SSH2, this is the hash of the “server public host key” string as seen on the wire in the Diffie-Hellman key exchange reply message (the string itself, excluding the 4-byte length associated with it), which is also the key parameter of
ssh2_server_host_key
For SSH1, this is the hash of the combined multiprecision integer strings representing the RSA1 key’s prime modulus and public exponent (concatenated in that order) as seen on the wire, which are also the parameters ofssh1_server_host_key
. In either case, the hash is the same “fingerprint” string as presented by other traditional tools,ssh
,ssh-keygen
, etc, and is the hexadecimal representation of all 16 MD5 hash bytes delimited by colons.
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh_encrypted_packet
- Type:
event
(c:connection
, orig:bool
, len:count
)
This event is generated when an SSH encrypted packet is seen. This event is not handled by default, but is provided for heuristic analysis scripts. Note that you have to set
SSH::disable_analyzer_after_detection
to false to use this event. This carries a performance penalty.- Parameters:
c – The connection over which the SSH connection took place.
orig – Whether the packet was sent by the originator of the TCP connection.
len – The length of the SSH payload, in bytes. Note that this ignores reassembly, as this is unknown.
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh2_dh_server_params
- Type:
event
(c:connection
, p:string
, q:string
)
Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method. This event contains the server DH parameters, which are sent in the SSH_MSG_KEY_DH_GEX_GROUP message as defined in RFC 4419#section-3.
- Parameters:
c – The connection.
p – The DH prime modulus.
q – The DH generator.
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh2_gss_error
- Type:
event
(c:connection
, major_status:count
, minor_status:count
, err_msg:string
)
In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details. This event is generated when such an error message is seen. For more information, see RFC 4462#section-2.1.
- Parameters:
c – The connection.
major_status – GSS-API major status code.
minor_status – GSS-API minor status code.
err_msg – Detailed human-readable error message
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh2_ecc_key
- Type:
event
(c:connection
, is_orig:bool
, q:string
)
The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret. This event is generated when either the client’s or server’s ephemeral public key is seen. For more information, see: RFC 5656#section-4.
- Parameters:
c – The connection.
is_orig – Did this message come from the originator?
q – The ephemeral public key
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh2_ecc_init
- Type:
event
(c:connection
, is_orig:bool
)
The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret. This event is generated when either the SSH_MSG_KEX_ECDH_INIT or SSH_MSG_ECMQV_INIT message is observed. By definition, these need to originate from the client and not from the server. For more information, see: RFC 5656#section-4.
- Parameters:
c – The connection.
is_orig – Did this message come from the originator?
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh2_dh_gex_init
- Type:
event
(c:connection
, is_orig:bool
)
Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method. This event contains the direction of the key exchange setup, which is indicated by the the SSH_MSG_KEX_DH_GEX_INIT message as defined in RFC 4419#section-3.
- Parameters:
c – The connection.
is_orig – Did this message come from the originator?
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh2_gss_init
- Type:
event
(c:connection
, is_orig:bool
)
In the event of a GSS-API key exchange, this event is raised on SSH_MSG_KEXGSS_INIT message. For more information see RFC 4462#section-2.1.
- Parameters:
c – The connection.
is_orig – Did this message come from the originator?
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh2_rsa_secret
- Type:
event
(c:connection
, is_orig:bool
)
In the event of a GSS-API key exchange, this event is raised on SSH_MSG_KEXRSA_PUBKEY message. This message is sent first by the server, after which the server will respond with a SSH_MSG_KEXRSA_SECRET message. For more information see RFC 4432#section-4.
- Parameters:
c – The connection.
is_orig – Did this message come from the originator?
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_failed
,ssh_auth_result
,ssh_auth_successful
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
,ssh2_ecc_init
,ssh2_dh_gex_init
,ssh2_gss_init
,ssh2_rsa_secret
- ssh_server_pre_banner_data
- Type:
event
(c:connection
, data:string
)
SSH servers can send textual data to the client before sending a banner. The primary use case of this are error messages of TCP wrappers.
As this event happens before the SSH banner is exchanged, it is possible that it contains data from different protocols; e.g. if an SSH client connects to a non-SSH-server.
- Parameters:
c – The connection.
data – The pre-banner data.
See also:
ssh_server_version
Zeek::SSL
SSL/TLS and DTLS analyzers
Components
Options/Constants
- SSL::dtls_max_version_errors
-
Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended. DTLS does not immediately stop parsing a connection because other protocols might be interleaved in the same UDP “connection”.
- SSL::dtls_max_reported_version_errors
-
Maximum number of invalid version errors to report in one DTLS connection.
- SSL::max_alerts_per_record
-
Maximum number of Alert messages parsed from an SSL record with content_type alert (21). The remaining alerts are discarded. For TLS 1.3 connections, this is implicitly 1 as defined by RFC 8446.
Types
Events
- ssl_client_hello
- Type:
event
(c:connection
, version:count
, record_version:count
, possible_ts:time
, client_random:string
, session_id:string
, ciphers:index_vec
, comp_methods:index_vec
)
Generated for an SSL/TLS client’s initial hello message. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event provides access to the initial information sent by the client.
See Wikipedia for more information about the SSL/TLS protocol.
- Parameters:
c – The connection.
version – The protocol version as extracted from the client’s message. The values are standardized as part of the SSL/TLS protocol. The
SSL::version_strings
table maps them to descriptive names.record_version – TLS version given in the record layer of the message. Set to 0 for SSLv2.
possible_ts – The current time as sent by the client. Note that SSL/TLS does not require clocks to be set correctly, so treat with care.
session_id – The session ID sent by the client (if any).
client_random – The random value sent by the client. For version 2 connections, the client challenge is returned.
ciphers – The list of ciphers the client offered to use. The values are standardized as part of the SSL/TLS protocol. The
SSL::cipher_desc
table maps them to descriptive names.comp_methods – The list of compression methods that the client offered to use. This value is not sent in TLSv1.3 or SSLv2.
See also:
ssl_alert
,ssl_established
,ssl_extension
,ssl_server_hello
,ssl_session_ticket_handshake
,x509_certificate
,ssl_handshake_message
,ssl_change_cipher_spec
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_ecdh_client_params
,ssl_rsa_client_pms
,ssl_connection_flipped
- ssl_server_hello
- Type:
event
(c:connection
, version:count
, record_version:count
, possible_ts:time
, server_random:string
, session_id:string
, cipher:count
, comp_method:count
)
Generated for an SSL/TLS server’s initial hello message. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event provides access to the initial information sent by the client.
See Wikipedia for more information about the SSL/TLS protocol.
- Parameters:
c – The connection.
version – The protocol version as extracted from the server’s message. The values are standardized as part of the SSL/TLS protocol. The
SSL::version_strings
table maps them to descriptive names.record_version – TLS version given in the record layer of the message. Set to 0 for SSLv2.
possible_ts – The current time as sent by the server. Note that SSL/TLS does not require clocks to be set correctly, so treat with care. This value is meaningless in SSLv2 and TLSv1.3.
session_id – The session ID as sent back by the server (if any). This value is not sent in TLSv1.3.
server_random – The random value sent by the server. For version 2 connections, the connection-id is returned. Note - the full 32 bytes are included in server_random. This means that the 4 bytes present in possible_ts are repeated; if you do not want this behavior ignore the first 4 bytes.
cipher – The cipher chosen by the server. The values are standardized as part of the SSL/TLS protocol. The
SSL::cipher_desc
table maps them to descriptive names.comp_method – The compression method chosen by the client. The values are standardized as part of the SSL/TLS protocol. This value is not sent in TLSv1.3 or SSLv2.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_extension
,ssl_session_ticket_handshake
,x509_certificate
,ssl_dh_server_params
,ssl_handshake_message
,ssl_change_cipher_spec
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_ecdh_client_params
,ssl_rsa_client_pms
,ssl_connection_flipped
- ssl_extension
- Type:
event
(c:connection
, is_client:bool
, code:count
, val:string
)
Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event provides access to any extensions either side sends as part of an extended hello message.
Note that Zeek offers more specialized events for a few extensions.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
code – The numerical code of the extension. The values are standardized as part of the SSL/TLS protocol. The
SSL::extensions
table maps them to descriptive names.val – The raw extension value that was sent in the message.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension_ec_point_formats
,ssl_extension_elliptic_curves
,ssl_extension_application_layer_protocol_negotiation
,ssl_extension_server_name
,ssl_extension_signature_algorithm
,ssl_extension_key_share
,ssl_extension_psk_key_exchange_modes
,ssl_extension_supported_versions
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_pre_shared_key_client_hello
,ssl_connection_flipped
,ssl_extension_connection_id
- ssl_extension_elliptic_curves
- Type:
event
(c:connection
, is_client:bool
, curves:index_vec
)
Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is defined in RFC 4492 and sent by the client in the initial handshake. It gives the list of elliptic curves supported by the client.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
curves – List of supported elliptic curves.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_ec_point_formats
,ssl_extension_application_layer_protocol_negotiation
,ssl_extension_server_name
,ssl_extension_signature_algorithm
,ssl_extension_key_share
,ssl_rsa_client_pms
,ssl_server_signature
,ssl_extension_psk_key_exchange_modes
,ssl_extension_supported_versions
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_ecdh_client_params
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_pre_shared_key_client_hello
,ssl_extension_connection_id
- ssl_extension_ec_point_formats
- Type:
event
(c:connection
, is_client:bool
, point_formats:index_vec
)
Generated for an SSL/TLS Supported Point Formats extension. This TLS extension is defined in RFC 4492 and sent by the client and/or server in the initial handshake. It gives the list of elliptic curve point formats supported by the client.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
point_formats – List of supported point formats.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_elliptic_curves
,ssl_extension_application_layer_protocol_negotiation
,ssl_extension_server_name
,ssl_extension_signature_algorithm
,ssl_extension_key_share
,ssl_extension_psk_key_exchange_modes
,ssl_extension_supported_versions
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_ecdh_client_params
,ssl_rsa_client_pms
,ssl_server_signature
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_pre_shared_key_client_hello
,ssl_extension_connection_id
- ssl_extension_signature_algorithm
- Type:
event
(c:connection
, is_client:bool
, signature_algorithms:signature_and_hashalgorithm_vec
)
Generated for an Signature Algorithms extension. This TLS extension is defined in RFC 5246 and sent by the client in the initial handshake. It gives the list of signature and hash algorithms supported by the client.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
signature_algorithms – List of supported signature and hash algorithm pairs.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_elliptic_curves
,ssl_extension_application_layer_protocol_negotiation
,ssl_extension_server_name
,ssl_extension_key_share
,ssl_extension_psk_key_exchange_modes
,ssl_extension_supported_versions
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_ecdh_client_params
,ssl_rsa_client_pms
,ssl_server_signature
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_pre_shared_key_client_hello
,ssl_extension_connection_id
- Type:
event
(c:connection
, is_client:bool
, curves:index_vec
)
Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16 and sent by the client and the server in the initial handshake. It gives the list of named groups supported by the client and chosen by the server.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
curves – List of supported/chosen named groups.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_elliptic_curves
,ssl_extension_application_layer_protocol_negotiation
,ssl_extension_server_name
,ssl_extension_psk_key_exchange_modes
,ssl_extension_supported_versions
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_ecdh_client_params
,ssl_rsa_client_pms
,ssl_server_signature
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_pre_shared_key_client_hello
,ssl_extension_connection_id
- Type:
event
(c:connection
, is_client:bool
, identities:psk_identity_vec
, binders:string_vec
)
Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.
The extension lists the identities the client is willing to negotiate with the server; they can either be pre-shared or be based on previous handshakes.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
identities – A list of the identities the client is willing to negotiate with the server.
binders – A series of HMAC values; for computation, see the TLS 1.3 RFC.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_elliptic_curves
,ssl_extension_application_layer_protocol_negotiation
,ssl_extension_server_name
,ssl_extension_psk_key_exchange_modes
,ssl_extension_supported_versions
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_ecdh_client_params
,ssl_rsa_client_pms
,ssl_server_signature
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_connection_id
- Type:
event
(c:connection
, is_client:bool
, selected_identity:count
)
Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
selected_identity – The identity the server chose as a 0-based index into the identities the client sent.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_elliptic_curves
,ssl_extension_application_layer_protocol_negotiation
,ssl_extension_server_name
,ssl_extension_psk_key_exchange_modes
,ssl_extension_supported_versions
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_ecdh_client_params
,ssl_rsa_client_pms
,ssl_server_signature
,ssl_extension_pre_shared_key_client_hello
,ssl_extension_connection_id
- ssl_ecdh_server_params
- Type:
event
(c:connection
, curve:count
, point:string
)
Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve This event contains the named curve name and the server ECDH parameters contained in the ServerKeyExchange message as defined in RFC 4492.
- Parameters:
c – The connection.
curve – The curve parameters.
point – The server’s ECDH public key.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_server_signature
,ssl_dh_client_params
,ssl_ecdh_client_params
,ssl_rsa_client_pms
- ssl_dh_server_params
- Type:
event
(c:connection
, p:string
, q:string
, Ys:string
)
Generated if a server uses a DH-anon or DHE cipher suite. This event contains the server DH parameters, contained in the ServerKeyExchange message as defined in RFC 5246.
- Parameters:
c – The connection.
p – The DH prime modulus.
q – The DH generator.
Ys – The server’s DH public key.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_server_signature
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_ecdh_client_params
,ssl_rsa_client_pms
- ssl_server_signature
- Type:
event
(c:connection
, signature_and_hashalgorithm:SSL::SignatureAndHashAlgorithm
, signature:string
)
Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event contains the server signature over the key exchange parameters contained in the ServerKeyExchange message as defined in RFC 4492 and RFC 5246.
- Parameters:
c – The connection.
signature_and_hashalgorithm – signature and hash algorithm used for the digitally_signed struct. This field is only present starting with TLSv1.2 and DTLSv1.2. Earlier versions used a hardcoded hash algorithm. For protocol versions below D(TLS)v1.2 this field is filled with an dummy value of 256.
signature – Signature part of the digitally_signed struct. The private key corresponding to the certified public key in the server’s certificate message is used for signing.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_rsa_client_pms
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_ecdh_client_params
- ssl_ecdh_client_params
- Type:
event
(c:connection
, point:string
)
Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event contains the client ECDH public value contained in the ClientKeyExchange message as defined in RFC 4492.
- Parameters:
c – The connection.
point – The client’s ECDH public key.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_server_signature
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_rsa_client_pms
- ssl_dh_client_params
- Type:
event
(c:connection
, Yc:string
)
Generated if a client uses a DH-anon or DHE cipher suite. This event contains the client DH parameters contained in the ClientKeyExchange message as defined in RFC 5246.
- Parameters:
c – The connection.
Yc – The client’s DH public key.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_server_signature
,ssl_ecdh_server_params
,ssl_ecdh_client_params
,ssl_rsa_client_pms
- ssl_rsa_client_pms
- Type:
event
(c:connection
, pms:string
)
Generated if a client uses RSA key exchange. This event contains the client encrypted pre-master secret which is encrypted using the public key of the server’s certificate as defined in RFC 5246.
- Parameters:
c – The connection.
pms – The encrypted pre-master secret.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_server_signature
,ssl_dh_client_params
,ssl_ecdh_server_params
,ssl_ecdh_client_params
- ssl_extension_application_layer_protocol_negotiation
- Type:
event
(c:connection
, is_client:bool
, protocols:string_vec
)
Generated for an SSL/TLS Application-Layer Protocol Negotiation extension. This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in the initial handshake. It contains the list of client supported application protocols by the client or the server, respectively.
At the moment it is mostly used to negotiate the use of SPDY / HTTP2.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
protocols – List of supported application layer protocols.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_elliptic_curves
,ssl_extension_ec_point_formats
,ssl_extension_server_name
,ssl_extension_key_share
,ssl_extension_psk_key_exchange_modes
,ssl_extension_supported_versions
,ssl_extension_signed_certificate_timestamp
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_pre_shared_key_client_hello
,ssl_extension_connection_id
- ssl_extension_server_name
- Type:
event
(c:connection
, is_client:bool
, names:string_vec
)
Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is defined in RFC 3546 and sent by the client in the initial handshake. It contains the name of the server it is contacting. This information can be used by the server to choose the correct certificate for the host the client wants to contact.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
names – A list of server names (DNS hostnames).
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_elliptic_curves
,ssl_extension_ec_point_formats
,ssl_extension_application_layer_protocol_negotiation
,ssl_extension_key_share
,ssl_extension_psk_key_exchange_modes
,ssl_extension_supported_versions
,ssl_extension_signed_certificate_timestamp
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_pre_shared_key_client_hello
,ssl_extension_connection_id
- ssl_extension_signed_certificate_timestamp
- Type:
event
(c:connection
, is_client:bool
, version:count
, logid:string
, timestamp:count
, signature_and_hashalgorithm:SSL::SignatureAndHashAlgorithm
, signature:string
)
Generated for the signed_certificate_timestamp TLS extension as defined in RFC 6962. The extension is used to transmit signed proofs that are used for Certificate Transparency.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
version – the version of the protocol to which the SCT conforms. Always should be 0 (representing version 1)
logid – 32 bit key id
timestamp – the NTP Time when the entry was logged measured since the epoch, ignoring leap seconds, in milliseconds.
signature_and_hashalgorithm – signature and hash algorithm used for the digitally_signed struct
signature – signature part of the digitally_signed struct
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_elliptic_curves
,ssl_extension_ec_point_formats
,ssl_extension_server_name
,ssl_extension_key_share
,ssl_extension_psk_key_exchange_modes
,ssl_extension_supported_versions
,ssl_extension_application_layer_protocol_negotiation
,x509_ocsp_ext_signed_certificate_timestamp
,sct_verify
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_pre_shared_key_client_hello
,ssl_extension_connection_id
- ssl_extension_supported_versions
- Type:
event
(c:connection
, is_client:bool
, versions:index_vec
)
Generated for an TLS Supported Versions extension. This TLS extension is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the TLS versions that it supports. This information can be used by the server to choose the best TLS version o use.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
versions – List of supported TLS versions.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_elliptic_curves
,ssl_extension_ec_point_formats
,ssl_extension_application_layer_protocol_negotiation
,ssl_extension_key_share
,ssl_extension_server_name
,ssl_extension_psk_key_exchange_modes
,ssl_extension_signed_certificate_timestamp
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_pre_shared_key_client_hello
,ssl_extension_connection_id
- ssl_extension_psk_key_exchange_modes
- Type:
event
(c:connection
, is_client:bool
, modes:index_vec
)
Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the list of Pre-Shared Key Exchange Modes that it supports.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
versions – List of supported Pre-Shared Key Exchange Modes.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_elliptic_curves
,ssl_extension_ec_point_formats
,ssl_extension_application_layer_protocol_negotiation
,ssl_extension_key_share
,ssl_extension_server_name
,ssl_extension_supported_versions
,ssl_extension_signed_certificate_timestamp
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_pre_shared_key_client_hello
,ssl_extension_connection_id
- ssl_extension_connection_id
- Type:
event
(c:connection
, is_client:bool
, cid:string
)
Generated for an DTLS Connection ID extension. This TLS extension is defined in the RFC 9146 and sent by the client or the server to signify that Connection IDs should be used for the connection.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
cid – The connection ID given by the client or the server.
See also:
ssl_alert
,ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_session_ticket_handshake
,ssl_extension
,ssl_extension_elliptic_curves
,ssl_extension_ec_point_formats
,ssl_extension_application_layer_protocol_negotiation
,ssl_extension_key_share
,ssl_extension_server_name
,ssl_extension_supported_versions
,ssl_extension_signed_certificate_timestamp
,ssl_extension_pre_shared_key_server_hello
,ssl_extension_pre_shared_key_client_hello
- ssl_established
- Type:
event
(c:connection
)
Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event signals the time when an SSL/TLS has finished the handshake and its endpoints consider it as fully established. Typically, everything from now on will be encrypted.
See Wikipedia for more information about the SSL/TLS protocol.
- Parameters:
c – The connection.
See also:
ssl_alert
,ssl_client_hello
,ssl_extension
,ssl_server_hello
,ssl_session_ticket_handshake
,x509_certificate
- ssl_alert
- Type:
event
(c:connection
, is_client:bool
, level:count
, desc:count
)
Generated for SSL/TLS alert records. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. If during that handshake, an endpoint encounters a fatal error, it sends an alert record, that in turn triggers this event. After an alert, any endpoint may close the connection immediately.
See Wikipedia for more information about the SSL/TLS protocol.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
level – The severity level, as sent in the alert. The values are defined as part of the SSL/TLS protocol.
desc – A numerical value identifying the cause of the alert. The values are defined as part of the SSL/TLS protocol.
See also:
ssl_client_hello
,ssl_established
,ssl_extension
,ssl_server_hello
,ssl_session_ticket_handshake
- ssl_session_ticket_handshake
- Type:
event
(c:connection
, ticket_lifetime_hint:count
, ticket:string
)
Generated for SSL/TLS handshake messages that are a part of the stateless-server session resumption mechanism. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event is raised when an SSL/TLS server passes a session ticket to the client that can later be used for resuming the session. The mechanism is described in RFC 4507.
See Wikipedia for more information about the SSL/TLS protocol.
- Parameters:
c – The connection.
ticket_lifetime_hint – A hint from the server about how long the ticket should be stored by the client.
ticket – The raw ticket data.
See also:
ssl_client_hello
,ssl_established
,ssl_extension
,ssl_server_hello
,ssl_alert
- ssl_heartbeat
- Type:
event
(c:connection
, is_client:bool
, length:count
, heartbeat_type:count
, payload_length:count
, payload:string
)
Generated for SSL/TLS heartbeat messages that are sent before session encryption starts. Generally heartbeat messages should rarely be seen in normal TLS traffic. Heartbeats are described in RFC 6520.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
length – length of the entire heartbeat message.
heartbeat_type – type of the heartbeat message. Per RFC, 1 = request, 2 = response.
payload_length – length of the payload of the heartbeat message, according to packet field.
payload – payload contained in the heartbeat message. Size can differ from payload_length, if payload_length and actual packet length disagree.
See also:
ssl_client_hello
,ssl_established
,ssl_extension
,ssl_server_hello
,ssl_alert
,ssl_encrypted_data
- ssl_plaintext_data
- Type:
event
(c:connection
, is_client:bool
, record_version:count
, content_type:count
, length:count
)
Generated for SSL/TLS messages that are sent before full session encryption starts. Note that “full encryption” is a bit fuzzy, especially for TLSv1.3; here this event will be raised for early packets that are already using pre-encryption. # This event is also used by Zeek internally to determine if the connection has been completely setup. This is necessary as TLS 1.3 does not have CCS anymore.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
record_version – TLS version given in the record layer of the message. Set to 0 for SSLv2.
content_type – message type as reported by TLS session layer. Not populated for SSLv2.
length – length of the entire message.
See also:
ssl_client_hello
,ssl_established
,ssl_extension
,ssl_server_hello
,ssl_alert
,ssl_heartbeat
- ssl_encrypted_data
- Type:
event
(c:connection
, is_client:bool
, record_version:count
, content_type:count
, length:count
)
Generated for SSL/TLS messages that are sent after session encryption started.
Note that
SSL::disable_analyzer_after_detection
has to be changed from its default to false for this event to be generated.Also note that, for DTLS 1.3, it is not always possible to give an exact length for the payload that is transported in the packet. If connection IDs are used, the length provided is the length of the entire packet, without the first byte (for the unified header). If no connection IDs are used, the length given is the actual payload length. Connection IDs are used with the connection ID extension in the client or server hello.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
record_version – TLS version given in the record layer of the message. Set to 0 for SSLv2.
content_type – message type as reported by TLS session layer. Not populated for SSLv2.
length – length of the encrypted payload in the record.
See also:
ssl_client_hello
,ssl_established
,ssl_extension
,ssl_server_hello
,ssl_alert
,ssl_heartbeat
,ssl_probable_encrypted_handshake_message
,ssl_extension_connection_id
- ssl_probable_encrypted_handshake_message
- Type:
event
(c:connection
, is_client:bool
, length:count
)
This event is generated for application data records of TLS 1.3 connections of which we suspect that they contain handshake messages.
In TLS 1.3, large parts of the handshake are encrypted; the only cleartext packets typically exchanged are the client hello and the server hello. The first few packets after the client and server hello, however, are a continuation of the handshake and still include handshake data.
This event is raised for these packets of which we suspect that they are handshake records, including the finished record.
The heuristic for this is: all application data record after the server hello are handshake records until at least one application data record has been received from both the server and the client. Typically, the server will send more records before the client sends the first application data record; and the first application data record of the client will typically include the finished message.
Given the encrypted nature of the protocol, in some cases this determination is not correct; the client can send more handshake packets before the finished message, e.g., when client certificates are used.
Note that
ssl_encrypted_data
is also raised for these messages.- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
length – length of the entire message.
See also:
ssl_client_hello
,ssl_established
,ssl_server_hello
,ssl_encrypted_data
- ssl_stapled_ocsp
- Type:
event
(c:connection
, is_client:bool
, response:string
)
This event contains the OCSP response contained in a Certificate Status Request message, when the client requested OCSP stapling and the server supports it. See description in RFC 6066.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
response – OCSP data.
- ssl_handshake_message
- Type:
event
(c:connection
, is_client:bool
, msg_type:count
, length:count
)
This event is raised for each unencrypted SSL/TLS handshake message.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
msg_type – Type of the handshake message that was seen.
length – Length of the handshake message that was seen.
See also:
ssl_alert
,ssl_established
,ssl_extension
,ssl_server_hello
,ssl_session_ticket_handshake
,x509_certificate
,ssl_client_hello
,ssl_change_cipher_spec
,ssl_connection_flipped
,ssl_certificate_request
- ssl_change_cipher_spec
- Type:
event
(c:connection
, is_client:bool
)
This event is raised when a SSL/TLS ChangeCipherSpec message is encountered before encryption begins. Traffic will be encrypted following this message.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
See also:
ssl_alert
,ssl_established
,ssl_extension
,ssl_server_hello
,ssl_session_ticket_handshake
,x509_certificate
,ssl_client_hello
,ssl_handshake_message
- ssl_connection_flipped
- Type:
event
(c:connection
)
Zeek typically assumes that the originator of a connection is the client of the SSL/TLS session. In some scenarios this does not hold, and the responder of a connection is the client, and the initiator is the server.
In these cases, Zeek raises this event. Connection direction is detected by looking at the server hello, client hello, and hello request handshake messages.
- Parameters:
c – The connection.
See also:
ssl_alert
,ssl_established
,ssl_extension
,ssl_server_hello
,ssl_session_ticket_handshake
,x509_certificate
,ssl_client_hello
,ssl_handshake_message
- ssl_certificate_request
- Type:
event
(c:connection
, is_client:bool
, certificate_types:index_vec
, supported_signature_algorithms:signature_and_hashalgorithm_vec
, certificate_authorities:string_vec
)
This event is raised, when a Certificate Request handshake message is encountered. This Message can be used by a TLS server to request a client certificate.
- Parameters:
c – The connection.
is_client – True if event is raised for the client side of the connection (the side that sends the client hello). This is typically equivalent with the originator, but does not have to be in all circumstances.
certificate_types – List of the types of certificates that the client may offer.
supported_signature_algorithms – List of hash/sighature algorithm pairs that the server supports, listed in descending order of preferences.
certificate_authorities – List of distinguished names of certificate authorities that are acceptable to the server. The individual entries are DER encoded.
parse_distinguished_name
can be used to decode the strings.
See also:
ssl_handshake_message
,x509_certificate
,ssl_server_hello
,ssl_client_hello
,parse_distinguished_name
Functions
- set_ssl_established
- Type:
function
(c:connection
) :bool
Sets if the SSL analyzer should consider the connection established (handshake finished successfully).
- Parameters:
c – The SSL connection.
- Returns:
T on success, F on failure.
- set_secret
- Type:
function
(c:connection
, secret:string
) :bool
Set the secret that should be used to derive keys for the connection. (For TLS 1.2 this is the pre-master secret).
- Parameters:
c – The affected connection
secret – secret to set
- Returns:
T on success, F on failure.
- set_keys
- Type:
function
(c:connection
, keys:string
) :bool
Set the decryption keys that should be used to decrypt TLS application data in the connection.
- Parameters:
c – The affected connection
keys – The key buffer as derived via TLS PRF.
- Returns:
T on success, F on failure.
- parse_distinguished_name
-
Decodes a DER-encoded distinguished name into an ASCII string, using the RFC2253 representation
- Parameters:
dn – DER encoded distinguished name
- Returns:
Ascii representation on success, empty string on failure
See also:
ssl_certificate_request
Zeek::StreamEvent
Delivers stream data as events
Components
Events
- stream_deliver
- Type:
event
(c:connection
, is_orig:bool
, data:string
)
Generated for each chunk of reassembled TCP payload.
This is a low-level event to inspect stream data from the originator and responder endpoints. This can be useful for debugging purposes, or for logging of plain-text interactive sessions when no more appropriate analyzer is available.
Note that this event is potentially expensive if connections that have the stream event analyzer attached carry significant amounts of data. Generally, a native protocol parser will have much less overhead than passing the complete stream data to the scripting layer.
- Parameters:
c – The connection.
is_orig – T if stream data is from the originator-side, else F.
data – The raw payload.
See also:
stream_undelivered
,tcp_contents
- stream_undelivered
- Type:
event
(c:connection
, is_orig:bool
, seq:count
, len:count
)
Generated when Zeek detects a gap in a reassembled TCP payload stream.
- Parameters:
c – The connection.
is_orig – T if the gap is in the originator-side input, else F.
seq – The sequence number of the first byte of the gap.
len – The length of the gap.
See also:
stream_deliver
,content_gap
Zeek::Syslog
Syslog analyzer UDP-only
Components
Events
- syslog_message
- Type:
event
(c:connection
, facility:count
, severity:count
, msg:string
)
Generated for monitored Syslog messages.
See Wikipedia for more information about the Syslog protocol.
- Parameters:
c – The connection record for the underlying transport-layer session/flow.
facility – The “facility” included in the message.
severity – The “severity” included in the message.
msg – The message logged.
Note
Zeek currently parses only UDP syslog traffic.
Zeek::TCP
TCP analyzer
Components
Types
- TCP::Option
- Type:
-
- kind:
count
The kind number associated with the option. Other optional fields of this record may be set depending on this value.
- length:
count
The total length of the option in bytes, including the kind byte and length byte (if present).
- data:
string
&optional
This field is set to the raw option bytes if the kind is not otherwise known/parsed. It’s also set for known kinds whose length was invalid.
- mss:
count
&optional
Kind 2: Maximum Segment Size.
- window_scale:
count
&optional
Kind 3: Window scale.
- sack:
index_vec
&optional
Kind 5: Selective ACKnowledgement (SACK). This is a list of 2, 4, 6, or 8 numbers with each consecutive pair being a 32-bit begin-pointer and 32-bit end pointer.
- send_timestamp:
count
&optional
Kind 8: 4-byte sender timestamp value.
- echo_timestamp:
count
&optional
Kind 8: 4-byte echo reply timestamp value.
- rate:
count
&optional
Kind 27: TCP Quick Start Response value.
- kind:
A TCP Option field parsed from a TCP header.
- TCP::OptionList
- Type:
The full list of TCP Option fields parsed from a TCP header.
Events
- new_connection_contents
- Type:
event
(c:connection
)
Generated when reassembly starts for a TCP connection. This event is raised at the moment when Zeek’s TCP analyzer enables stream reassembly for a connection.
- Parameters:
c – The connection.
See also:
connection_EOF
,connection_SYN_packet
,connection_attempt
,connection_established
,connection_finished
,connection_first_ACK
,connection_half_finished
,connection_partial_close
,connection_pending
,connection_rejected
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,partial_connection
- connection_attempt
- Type:
event
(c:connection
)
Generated for an unsuccessful connection attempt. This event is raised when an originator unsuccessfully attempted to establish a connection. “Unsuccessful” is defined as at least
tcp_attempt_delay
seconds having elapsed since the originator first sent a connection establishment packet to the destination without seeing a reply.- Parameters:
c – The connection.
See also:
connection_EOF
,connection_SYN_packet
,connection_established
,connection_finished
,connection_first_ACK
,connection_half_finished
,connection_partial_close
,connection_pending
,connection_rejected
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
,partial_connection
- connection_established
- Type:
event
(c:connection
)
Generated when seeing a SYN-ACK packet from the responder in a TCP handshake. An associated SYN packet was not seen from the originator side if its state is not set to
TCP_ESTABLISHED
. The final ACK of the handshake in response to SYN-ACK may or may not occur later, one way to tell is to check the history field ofconnection
to see if the originator sent an ACK, indicated by ‘A’ in the history string.- Parameters:
c – The connection.
See also:
connection_EOF
,connection_SYN_packet
,connection_attempt
,connection_finished
,connection_first_ACK
,connection_half_finished
,connection_partial_close
,connection_pending
,connection_rejected
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
,partial_connection
- partial_connection
- Type:
event
(c:connection
)
Generated for a new active TCP connection if Zeek did not see the initial handshake. This event is raised when Zeek has observed traffic from each endpoint, but the activity did not begin with the usual connection establishment.
- Parameters:
c – The connection.
See also:
connection_EOF
,connection_SYN_packet
,connection_attempt
,connection_established
,connection_finished
,connection_first_ACK
,connection_half_finished
,connection_partial_close
,connection_pending
,connection_rejected
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
- connection_partial_close
- Type:
event
(c:connection
)
Generated when a previously inactive endpoint attempts to close a TCP connection via a normal FIN handshake or an abort RST sequence. When the endpoint sent one of these packets, Zeek waits
tcp_partial_close_delay
prior to generating the event, to give the other endpoint a chance to close the connection normally.- Parameters:
c – The connection.
See also:
connection_EOF
,connection_SYN_packet
,connection_attempt
,connection_established
,connection_finished
,connection_first_ACK
,connection_half_finished
,connection_pending
,connection_rejected
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
,partial_connection
- connection_finished
- Type:
event
(c:connection
)
Generated for a TCP connection that finished normally. The event is raised when a regular FIN handshake from both endpoints was observed.
- Parameters:
c – The connection.
See also:
connection_EOF
,connection_SYN_packet
,connection_attempt
,connection_established
,connection_first_ACK
,connection_half_finished
,connection_partial_close
,connection_pending
,connection_rejected
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
,partial_connection
- connection_half_finished
- Type:
event
(c:connection
)
Generated when one endpoint of a TCP connection attempted to gracefully close the connection, but the other endpoint is in the TCP_INACTIVE state. This can happen due to split routing, in which Zeek only sees one side of a connection.
- Parameters:
c – The connection.
See also:
connection_EOF
,connection_SYN_packet
,connection_attempt
,connection_established
,connection_finished
,connection_first_ACK
,connection_partial_close
,connection_pending
,connection_rejected
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
,partial_connection
- connection_rejected
- Type:
event
(c:connection
)
Generated for a rejected TCP connection. This event is raised when an originator attempted to setup a TCP connection but the responder replied with a RST packet denying it.
- Parameters:
c – The connection.
See also:
connection_EOF
,connection_SYN_packet
,connection_attempt
,connection_established
,connection_finished
,connection_first_ACK
,connection_half_finished
,connection_partial_close
,connection_pending
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
,partial_connection
Note
If the responder does not respond at all,
connection_attempt
is raised instead. If the responder initially accepts the connection but aborts it later, Zeek first generatesconnection_established
and thenconnection_reset
.
- connection_reset
- Type:
event
(c:connection
)
Generated when an endpoint aborted a TCP connection. The event is raised when one endpoint of an established TCP connection aborted by sending a RST packet.
- Parameters:
c – The connection.
See also:
connection_EOF
,connection_SYN_packet
,connection_attempt
,connection_established
,connection_finished
,connection_first_ACK
,connection_half_finished
,connection_partial_close
,connection_pending
,connection_rejected
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
,partial_connection
- connection_pending
- Type:
event
(c:connection
)
Generated for each still-open TCP connection when Zeek terminates.
- Parameters:
c – The connection.
See also:
connection_EOF
,connection_SYN_packet
,connection_attempt
,connection_established
,connection_finished
,connection_first_ACK
,connection_half_finished
,connection_partial_close
,connection_rejected
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
,partial_connection
,zeek_done
- connection_SYN_packet
- Type:
event
(c:connection
, pkt:SYN_packet
)
Generated for a SYN packet. Zeek raises this event for every SYN packet seen by its TCP analyzer.
- Parameters:
c – The connection.
pkt – Information extracted from the SYN packet.
See also:
connection_EOF
,connection_attempt
,connection_established
,connection_finished
,connection_first_ACK
,connection_half_finished
,connection_partial_close
,connection_pending
,connection_rejected
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
,partial_connection
Note
This event has quite low-level semantics and can potentially be expensive to generate. It should only be used if one really needs the specific information passed into the handler via the
pkt
argument. If not, handling one of the otherconnection_*
events is typically the better approach.
- connection_first_ACK
- Type:
event
(c:connection
)
Generated for the first ACK packet seen for a TCP connection from its originator.
- Parameters:
c – The connection.
See also:
connection_EOF
,connection_SYN_packet
,connection_attempt
,connection_established
,connection_finished
,connection_half_finished
,connection_partial_close
,connection_pending
,connection_rejected
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
,partial_connection
Note
This event has quite low-level semantics and should be used only rarely.
- connection_EOF
- Type:
event
(c:connection
, is_orig:bool
)
Generated at the end of reassembled TCP connections. The TCP reassembler raised the event once for each endpoint of a connection when it finished reassembling the corresponding side of the communication.
- Parameters:
c – The connection.
is_orig – True if the event is raised for the originator side.
See also:
connection_SYN_packet
,connection_attempt
,connection_established
,connection_finished
,connection_first_ACK
,connection_half_finished
,connection_partial_close
,connection_pending
,connection_rejected
,connection_reset
,connection_reused
,connection_state_remove
,connection_status_update
,connection_timeout
,scheduled_analyzer_applied
,new_connection
,new_connection_contents
,partial_connection
- tcp_packet
- Type:
event
(c:connection
, is_orig:bool
, flags:string
, seq:count
, ack:count
, len:count
, payload:string
)
Generated for every TCP packet. This is a very low-level and expensive event that should be avoided when at all possible. It’s usually infeasible to handle when processing even medium volumes of traffic in real-time. It’s slightly better than
new_packet
because it affects only TCP, but not much. That said, if you work from a trace and want to do some packet-level analysis, it may come in handy.- Parameters:
c – The connection the packet is part of.
is_orig – True if the packet was sent by the connection’s originator.
flags – A string with the packet’s TCP flags. In the string, each character corresponds to one set flag, as follows:
S
-> SYN;F
-> FIN;R
-> RST;A
-> ACK;P
-> PUSH;U
-> URGENT.seq – The packet’s relative TCP sequence number.
ack – If the ACK flag is set for the packet, the packet’s relative ACK number, else zero.
len – The length of the TCP payload, as specified in the packet header.
payload – The raw TCP payload. Note that this may be shorter than len if the packet was not fully captured.
See also:
new_packet
,packet_contents
,tcp_option
,tcp_contents
,tcp_rexmit
- tcp_option
- Type:
event
(c:connection
, is_orig:bool
, opt:count
, optlen:count
)
Generated for each option found in a TCP header. Like many of the
tcp_*
events, this is a very low-level event and potentially expensive as it may be raised very often.- Parameters:
c – The connection the packet is part of.
is_orig – True if the packet was sent by the connection’s originator.
opt – The numerical option number, as found in the TCP header.
optlen – The length of the options value.
See also:
tcp_packet
,tcp_contents
,tcp_rexmit
,tcp_options
Note
To inspect the actual option values, if any, use
tcp_options
.
- tcp_options
- Type:
event
(c:connection
, is_orig:bool
, options:TCP::OptionList
)
Generated for each TCP header that contains TCP options. This is a very low-level event and potentially expensive as it may be raised very often.
- Parameters:
c – The connection the packet is part of.
is_orig – True if the packet was sent by the connection’s originator.
options – The list of options parsed out of the TCP header.
See also:
tcp_packet
,tcp_contents
,tcp_rexmit
,tcp_option
- tcp_contents
- Type:
event
(c:connection
, is_orig:bool
, seq:count
, contents:string
)
Generated for each chunk of reassembled TCP payload. When content delivery is enabled for a TCP connection (via
tcp_content_delivery_ports_orig
,tcp_content_delivery_ports_resp
,tcp_content_deliver_all_orig
,tcp_content_deliver_all_resp
), this event is raised for each chunk of in-order payload reconstructed from the packet stream. Note that this event is potentially expensive if many connections carry significant amounts of data as then all that data needs to be passed on to the scripting layer.- Parameters:
c – The connection the payload is part of.
is_orig – True if the packet was sent by the connection’s originator.
seq – The sequence number corresponding to the first byte of the payload chunk.
contents – The raw payload, which will be non-empty.
See also:
tcp_packet
,tcp_option
,tcp_rexmit
,tcp_content_delivery_ports_orig
,tcp_content_delivery_ports_resp
,tcp_content_deliver_all_resp
,tcp_content_deliver_all_orig
Note
The payload received by this event is the same that is also passed into application-layer protocol analyzers internally. Subsequent invocations of this event for the same connection receive non-overlapping in-order chunks of its TCP payload stream. It is however undefined what size each chunk has; while Zeek passes the data on as soon as possible, specifics depend on network-level effects such as latency, acknowledgements, reordering, etc.
- tcp_rexmit
- Type:
event
(c:connection
, is_orig:bool
, seq:count
, len:count
, data_in_flight:count
, window:count
)
Generated for each detected TCP segment retransmission.
- Parameters:
c – The connection the packet is part of.
is_orig – True if the packet was sent by the connection’s originator.
seq – The segment’s relative TCP sequence number.
len – The length of the TCP segment, as specified in the packet header.
data_in_flight – The number of bytes corresponding to the difference between the last sequence number and last acknowledgement number we’ve seen for a given endpoint.
window – the TCP window size.
- tcp_multiple_checksum_errors
- Type:
event
(c:connection
, is_orig:bool
, threshold:count
)
Generated if a TCP flow crosses a checksum-error threshold, per ‘C’/’c’ history reporting.
- Parameters:
c – The connection record for the TCP connection.
is_orig – True if the event is raised for the originator side.
threshold – the threshold that was crossed
See also:
udp_multiple_checksum_errors
,tcp_multiple_zero_windows
,tcp_multiple_retransmissions
,tcp_multiple_gap
- tcp_multiple_zero_windows
- Type:
event
(c:connection
, is_orig:bool
, threshold:count
)
Generated if a TCP flow crosses a zero-window threshold, per ‘W’/’w’ history reporting.
- Parameters:
c – The connection record for the TCP connection.
is_orig – True if the event is raised for the originator side.
threshold – the threshold that was crossed
See also:
tcp_multiple_checksum_errors
,tcp_multiple_retransmissions
,tcp_multiple_gap
- tcp_multiple_retransmissions
- Type:
event
(c:connection
, is_orig:bool
, threshold:count
)
Generated if a TCP flow crosses a retransmission threshold, per ‘T’/’t’ history reporting.
- Parameters:
c – The connection record for the TCP connection.
is_orig – True if the event is raised for the originator side.
threshold – the threshold that was crossed
See also:
tcp_multiple_checksum_errors
,tcp_multiple_zero_windows
,tcp_multiple_gap
- tcp_multiple_gap
- Type:
event
(c:connection
, is_orig:bool
, threshold:count
)
Generated if a TCP flow crosses a gap threshold, per ‘G’/’g’ history reporting.
- Parameters:
c – The connection record for the TCP connection.
is_orig – True if the event is raised for the originator side.
threshold – the threshold that was crossed
See also:
tcp_multiple_checksum_errors
,tcp_multiple_zero_windows
,tcp_multiple_retransmissions
- contents_file_write_failure
- Type:
event
(c:connection
, is_orig:bool
, msg:string
)
Generated when failing to write contents of a TCP stream to a file.
- Parameters:
c – The connection whose contents are being recorded.
is_orig – Which side of the connection encountered a failure to write.
msg – A reason or description for the failure.
See also:
set_contents_file
,get_contents_file
Functions
- get_orig_seq
-
Get the originator sequence number of a TCP connection. Sequence numbers are absolute (i.e., they reflect the values seen directly in packet headers; they are not relative to the beginning of the connection).
- Parameters:
cid – The connection ID.
- Returns:
The highest sequence number sent by a connection’s originator, or 0 if cid does not point to an active TCP connection.
See also:
get_resp_seq
- get_resp_seq
-
Get the responder sequence number of a TCP connection. Sequence numbers are absolute (i.e., they reflect the values seen directly in packet headers; they are not relative to the beginning of the connection).
- Parameters:
cid – The connection ID.
- Returns:
The highest sequence number sent by a connection’s responder, or 0 if cid does not point to an active TCP connection.
See also:
get_orig_seq
- set_contents_file
-
Associates a file handle with a connection for writing TCP byte stream contents.
- Parameters:
cid – The connection ID.
direction –
Controls what sides of the connection to record. The argument can take one of the four values:
CONTENTS_NONE
: Stop recording the connection’s content.CONTENTS_ORIG
: Record the data sent by the connection originator (often the client).CONTENTS_RESP
: Record the data sent by the connection responder (often the server).CONTENTS_BOTH
: Record the data sent in both directions. Results in the two directions being intermixed in the file, in the order the data was seen by Zeek.
f – The file handle of the file to write the contents to.
- Returns:
Returns false if cid does not point to an active connection, and true otherwise.
Note
The data recorded to the file reflects the byte stream, not the contents of individual packets. Reordering and duplicates are removed. If any data is missing, the recording stops at the missing data; this can happen, e.g., due to an
content_gap
event.See also:
get_contents_file
,set_record_packets
,contents_file_write_failure
- get_contents_file
-
Returns the file handle of the contents file of a connection.
- Parameters:
cid – The connection ID.
direction – Controls what sides of the connection to record. See
set_contents_file
for possible values.
- Returns:
The
file
handle for the contents file of the connection identified by cid. If the connection exists but there is no contents file for direction, then the function generates an error and returns a file handle tostderr
.
See also:
set_contents_file
,set_record_packets
,contents_file_write_failure
Zeek::WebSocket
WebSocket analyzer
Components
Options/Constants
- WebSocket::payload_chunk_size
-
The WebSocket analyzer consumes and forwards frame payload in chunks to keep memory usage bounded. There should not be a reason to change this value except for debugging and testing reasons.
Types
- WebSocket::AnalyzerConfig
- Type:
-
- analyzer:
Analyzer::Tag
&optional
The analyzer to attach for analysis of the WebSocket frame payload. See use_dpd below for the behavior when unset.
- use_dpd:
bool
&default
=WebSocket::use_dpd_default
&optional
If analyzer is unset, determines whether to attach a PIA_TCP analyzer for dynamic protocol detection with WebSocket payload.
- subprotocol:
string
&optional
The subprotocol as selected by the server, if any.
- server_extensions:
vector
ofstring
&optional
The WebSocket extensions as selected by the server, if any.
- analyzer:
Record type that is passed to
WebSocket::configure_analyzer
.This record allows to configure the WebSocket analyzer given parameters collected from HTTP headers.
Events
- websocket_established
- Type:
event
(c:connection
, aid:count
)
Generated when a WebSocket handshake completed.
- Parameters:
c – The WebSocket connection.
aid – The analyzer identifier of the WebSocket analyzer.
See also:
WebSocket::__configure_analyzer
,WebSocket::configure_analyzer
- websocket_frame
- Type:
event
(c:connection
, is_orig:bool
, fin:bool
, rsv:count
, opcode:count
, payload_len:count
)
Generated for every WebSocket frame.
- Parameters:
c – The WebSocket connection.
is_orig – True if the frame is from the originator, else false.
fin – True if the fin bit is set, else false.
rsv – The value of the RSV1, RSV2 and RSV3 bits.
opcode – The frame’s opcode.
payload_len – The frame’s payload length.
- websocket_frame_data
- Type:
event
(c:connection
, is_orig:bool
, data:string
)
Generated for every chunk of WebSocket frame payload data.
Do not use it to extract data from a WebSocket connection unless for testing or experimentation. Consider implementing a proper analyzer instead.
- Parameters:
c – The WebSocket connection.
is_orig – True if the frame is from the originator, else false.
data – One data chunk of frame payload. The length of is at most
WebSocket::payload_chunk_size
bytes. A frame with a longer payload will result in multiple events events.
See also:
WebSocket::payload_chunk_size
- websocket_message
- Type:
event
(c:connection
, is_orig:bool
, opcode:count
)
Generated for every completed WebSocket message.
- Parameters:
c – The WebSocket connection.
is_orig – True if the frame is from the originator, else false.
opcode – The first frame’s opcode.
- websocket_close
- Type:
event
(c:connection
, is_orig:bool
, status:count
, reason:string
)
Generated for WebSocket Close frames.
- Parameters:
c – The WebSocket connection.
is_orig – True if the frame is from the originator, else false.
status – If the CloseFrame had no payload, this is 0, otherwise the value of the first two bytes in the frame’s payload.
reason – Remaining payload after status. This is capped at 2 bytes less than
WebSocket::payload_chunk_size
.
See also:
WebSocket::payload_chunk_size
Functions
- WebSocket::__configure_analyzer
- Type:
function
(c:connection
, aid:count
, config:WebSocket::AnalyzerConfig
) :bool
Configure the WebSocket analyzer.
Called during
websocket_established
to configure the WebSocket analyzer given the selected protocol and extension as chosen by the server.- Parameters:
c – The WebSocket connection.
aid – The identifier for the WebSocket analyzer as provided to
websocket_established
.server_protocol – The protocol as found in the server’s Sec-WebSocket-Protocol HTTP header, or empty.
server_extensions – The extension as selected by the server via the Sec-WebSocket-Extensions HTTP Header.
See also:
websocket_established
Zeek::XMPP
XMPP analyzer (StartTLS only)
Components
Events
- xmpp_starttls
- Type:
event
(c:connection
)
Generated when a XMPP connection goes encrypted after a successful StartTLS exchange between the client and the server.
- Parameters:
c – The connection.
Zeek::ZIP
Generic ZIP support analyzer