Protocol Analyzers

Analyzer::Tag

Type

enum

Analyzer::ANALYZER_BITTORRENT

Analyzer::ANALYZER_BITTORRENTTRACKER

Analyzer::ANALYZER_CONNSIZE

Analyzer::ANALYZER_DCE_RPC

Analyzer::ANALYZER_DHCP

Analyzer::ANALYZER_DNP3_TCP

Analyzer::ANALYZER_DNP3_UDP

Analyzer::ANALYZER_CONTENTS_DNS

Analyzer::ANALYZER_DNS

Analyzer::ANALYZER_FTP_DATA

Analyzer::ANALYZER_FTP

Analyzer::ANALYZER_FTP_ADAT

Analyzer::ANALYZER_GNUTELLA

Analyzer::ANALYZER_GSSAPI

Analyzer::ANALYZER_HTTP

Analyzer::ANALYZER_ICMP

Analyzer::ANALYZER_IDENT

Analyzer::ANALYZER_IMAP

Analyzer::ANALYZER_IRC

Analyzer::ANALYZER_IRC_DATA

Analyzer::ANALYZER_KRB

Analyzer::ANALYZER_KRB_TCP

Analyzer::ANALYZER_CONTENTS_RLOGIN

Analyzer::ANALYZER_CONTENTS_RSH

Analyzer::ANALYZER_LOGIN

Analyzer::ANALYZER_NVT

Analyzer::ANALYZER_RLOGIN

Analyzer::ANALYZER_RSH

Analyzer::ANALYZER_TELNET

Analyzer::ANALYZER_MODBUS

Analyzer::ANALYZER_MQTT

Analyzer::ANALYZER_MYSQL

Analyzer::ANALYZER_CONTENTS_NCP

Analyzer::ANALYZER_NCP

Analyzer::ANALYZER_CONTENTS_NETBIOSSSN

Analyzer::ANALYZER_NETBIOSSSN

Analyzer::ANALYZER_NTLM

Analyzer::ANALYZER_NTP

Analyzer::ANALYZER_PIA_TCP

Analyzer::ANALYZER_PIA_UDP

Analyzer::ANALYZER_POP3

Analyzer::ANALYZER_RADIUS

Analyzer::ANALYZER_RDP

Analyzer::ANALYZER_RDPEUDP

Analyzer::ANALYZER_RFB

Analyzer::ANALYZER_CONTENTS_NFS

Analyzer::ANALYZER_CONTENTS_RPC

Analyzer::ANALYZER_MOUNT

Analyzer::ANALYZER_NFS

Analyzer::ANALYZER_PORTMAPPER

Analyzer::ANALYZER_SIP

Analyzer::ANALYZER_CONTENTS_SMB

Analyzer::ANALYZER_SMB

Analyzer::ANALYZER_SMTP

Analyzer::ANALYZER_SNMP

Analyzer::ANALYZER_SOCKS

Analyzer::ANALYZER_FINGER

Analyzer::ANALYZER_SYSLOG

Analyzer::ANALYZER_SSH

Analyzer::ANALYZER_DTLS

Analyzer::ANALYZER_SSL

Analyzer::ANALYZER_CONTENTLINE

Analyzer::ANALYZER_CONTENTS

Analyzer::ANALYZER_TCPSTATS

Analyzer::ANALYZER_TCP

Analyzer::ANALYZER_UDP

Analyzer::ANALYZER_XMPP

Analyzer::ANALYZER_ZIP

AllAnalyzers::Tag

Type

enum

AllAnalyzers::PACKETANALYZER_ANALYZER_ARP

AllAnalyzers::PACKETANALYZER_ANALYZER_AYIYA

AllAnalyzers::ANALYZER_ANALYZER_BITTORRENT

AllAnalyzers::ANALYZER_ANALYZER_BITTORRENTTRACKER

AllAnalyzers::ANALYZER_ANALYZER_CONNSIZE

AllAnalyzers::ANALYZER_ANALYZER_DCE_RPC

AllAnalyzers::ANALYZER_ANALYZER_DHCP

AllAnalyzers::ANALYZER_ANALYZER_DNP3_TCP

AllAnalyzers::ANALYZER_ANALYZER_DNP3_UDP

AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_DNS

AllAnalyzers::ANALYZER_ANALYZER_DNS

AllAnalyzers::PACKETANALYZER_ANALYZER_ETHERNET

AllAnalyzers::PACKETANALYZER_ANALYZER_FDDI

AllAnalyzers::ANALYZER_ANALYZER_FTP_DATA

AllAnalyzers::FILES_ANALYZER_DATA_EVENT

AllAnalyzers::FILES_ANALYZER_ENTROPY

AllAnalyzers::FILES_ANALYZER_EXTRACT

AllAnalyzers::FILES_ANALYZER_MD5

AllAnalyzers::FILES_ANALYZER_SHA1

AllAnalyzers::FILES_ANALYZER_SHA256

AllAnalyzers::ANALYZER_ANALYZER_FTP

AllAnalyzers::ANALYZER_ANALYZER_FTP_ADAT

AllAnalyzers::PACKETANALYZER_ANALYZER_GENEVE

AllAnalyzers::ANALYZER_ANALYZER_GNUTELLA

AllAnalyzers::PACKETANALYZER_ANALYZER_GRE

AllAnalyzers::ANALYZER_ANALYZER_GSSAPI

AllAnalyzers::PACKETANALYZER_ANALYZER_GTPV1

AllAnalyzers::ANALYZER_ANALYZER_HTTP

AllAnalyzers::PACKETANALYZER_ANALYZER_ICMP

AllAnalyzers::ANALYZER_ANALYZER_ICMP

AllAnalyzers::ANALYZER_ANALYZER_IDENT

AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11

AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11_RADIO

AllAnalyzers::ANALYZER_ANALYZER_IMAP

AllAnalyzers::PACKETANALYZER_ANALYZER_IP

AllAnalyzers::PACKETANALYZER_ANALYZER_IPTUNNEL

AllAnalyzers::ANALYZER_ANALYZER_IRC

AllAnalyzers::ANALYZER_ANALYZER_IRC_DATA

AllAnalyzers::ANALYZER_ANALYZER_KRB

AllAnalyzers::ANALYZER_ANALYZER_KRB_TCP

AllAnalyzers::PACKETANALYZER_ANALYZER_LINUXSLL

AllAnalyzers::PACKETANALYZER_ANALYZER_LINUXSLL2

AllAnalyzers::PACKETANALYZER_ANALYZER_LLC

AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RLOGIN

AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RSH

AllAnalyzers::ANALYZER_ANALYZER_LOGIN

AllAnalyzers::ANALYZER_ANALYZER_NVT

AllAnalyzers::ANALYZER_ANALYZER_RLOGIN

AllAnalyzers::ANALYZER_ANALYZER_RSH

AllAnalyzers::ANALYZER_ANALYZER_TELNET

AllAnalyzers::ANALYZER_ANALYZER_MODBUS

AllAnalyzers::PACKETANALYZER_ANALYZER_MPLS

AllAnalyzers::ANALYZER_ANALYZER_MQTT

AllAnalyzers::ANALYZER_ANALYZER_MYSQL

AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NCP

AllAnalyzers::ANALYZER_ANALYZER_NCP

AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NETBIOSSSN

AllAnalyzers::ANALYZER_ANALYZER_NETBIOSSSN

AllAnalyzers::PACKETANALYZER_ANALYZER_NFLOG

AllAnalyzers::PACKETANALYZER_ANALYZER_NOVELL_802_3

AllAnalyzers::ANALYZER_ANALYZER_NTLM

AllAnalyzers::ANALYZER_ANALYZER_NTP

AllAnalyzers::PACKETANALYZER_ANALYZER_NULL

AllAnalyzers::PACKETANALYZER_ANALYZER_PBB

AllAnalyzers::FILES_ANALYZER_PE

AllAnalyzers::ANALYZER_ANALYZER_PIA_TCP

AllAnalyzers::ANALYZER_ANALYZER_PIA_UDP

AllAnalyzers::ANALYZER_ANALYZER_POP3

AllAnalyzers::PACKETANALYZER_ANALYZER_PPP

AllAnalyzers::PACKETANALYZER_ANALYZER_PPPOE

AllAnalyzers::PACKETANALYZER_ANALYZER_PPPSERIAL

AllAnalyzers::ANALYZER_ANALYZER_RADIUS

AllAnalyzers::ANALYZER_ANALYZER_RDP

AllAnalyzers::ANALYZER_ANALYZER_RDPEUDP

AllAnalyzers::ANALYZER_ANALYZER_RFB

AllAnalyzers::PACKETANALYZER_ANALYZER_ROOT

AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NFS

AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RPC

AllAnalyzers::ANALYZER_ANALYZER_MOUNT

AllAnalyzers::ANALYZER_ANALYZER_NFS

AllAnalyzers::ANALYZER_ANALYZER_PORTMAPPER

AllAnalyzers::ANALYZER_ANALYZER_SIP

AllAnalyzers::PACKETANALYZER_ANALYZER_SKIP

AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_SMB

AllAnalyzers::ANALYZER_ANALYZER_SMB

AllAnalyzers::ANALYZER_ANALYZER_SMTP

AllAnalyzers::PACKETANALYZER_ANALYZER_SNAP

AllAnalyzers::ANALYZER_ANALYZER_SNMP

AllAnalyzers::ANALYZER_ANALYZER_SOCKS

AllAnalyzers::ANALYZER_ANALYZER_FINGER

AllAnalyzers::ANALYZER_ANALYZER_SYSLOG

AllAnalyzers::ANALYZER_ANALYZER_SSH

AllAnalyzers::ANALYZER_ANALYZER_DTLS

AllAnalyzers::ANALYZER_ANALYZER_SSL

AllAnalyzers::ANALYZER_ANALYZER_CONTENTLINE

AllAnalyzers::ANALYZER_ANALYZER_CONTENTS

AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS

AllAnalyzers::PACKETANALYZER_ANALYZER_TCP

AllAnalyzers::ANALYZER_ANALYZER_TCP

AllAnalyzers::PACKETANALYZER_ANALYZER_TEREDO

AllAnalyzers::PACKETANALYZER_ANALYZER_UDP

AllAnalyzers::ANALYZER_ANALYZER_UDP

AllAnalyzers::PACKETANALYZER_ANALYZER_VLAN

AllAnalyzers::PACKETANALYZER_ANALYZER_VNTAG

AllAnalyzers::PACKETANALYZER_ANALYZER_VXLAN

AllAnalyzers::FILES_ANALYZER_OCSP_REPLY

AllAnalyzers::FILES_ANALYZER_OCSP_REQUEST

AllAnalyzers::FILES_ANALYZER_X509

AllAnalyzers::ANALYZER_ANALYZER_XMPP

AllAnalyzers::ANALYZER_ANALYZER_ZIP

Zeek::BitTorrent

BitTorrent Analyzer

Components

Analyzer::ANALYZER_BITTORRENT

Analyzer::ANALYZER_BITTORRENTTRACKER

Events

bittorrent_peer_handshake

Type: event (c: connection, is_orig: bool, reserved: string, info_hash: string, peer_id: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_keep_alive

Type: event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_choke

Type: event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_unchoke

Type: event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_interested

Type: event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_not_interested

Type: event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_have

Type: event (c: connection, is_orig: bool, piece_index: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_bitfield

Type: event (c: connection, is_orig: bool, bitfield: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_request

Type: event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_piece

Type: event (c: connection, is_orig: bool, index: count, begin: count, piece_length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_cancel

Type: event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_port

Type: event (c: connection, is_orig: bool, listen_port: port)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_unknown

Type: event (c: connection, is_orig: bool, message_id: count, data: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bittorrent_peer_weird

Type: event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bt_tracker_request

Type: event (c: connection, uri: string, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bt_tracker_response

Type: event (c: connection, status: count, headers: bt_tracker_headers, peers: bittorrent_peer_set, benc: bittorrent_benc_dir)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bt_tracker_response_not_ok

Type: event (c: connection, status: count, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

bt_tracker_weird

Type: event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

Zeek::ConnSize

Connection size analyzer

Components

Analyzer::ANALYZER_CONNSIZE

Events

conn_bytes_threshold_crossed 

Type: event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.

Parameters

c – the connection
threshold – the threshold that was set
is_orig – true if the threshold was crossed by the originator of the connection

conn_packets_threshold_crossed 

Type: event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::packets_threshold_crossed instead.

Parameters

c – the connection
threshold – the threshold that was set
is_orig – true if the threshold was crossed by the originator of the connection

conn_duration_threshold_crossed 

Type: event (c: connection, threshold: interval, is_orig: bool)

Generated for a connection that crossed a set duration threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::duration_threshold_crossed instead.

Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.

Parameters

c – the connection
threshold – the threshold that was set
is_orig – true if the threshold was crossed by the originator of the connection

Functions

set_current_conn_bytes_threshold

Type: function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets the current byte threshold for connection sizes, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_bytes_threshold).

Parameters

cid – The connection id.
threshold – Threshold in bytes.
is_orig – If true, threshold is set for bytes from originator, otherwise for bytes from responder.

set_current_conn_packets_threshold

Type: function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets a threshold for connection packets, overwriting any potential old thresholds. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_packets_threshold).

Parameters

cid – The connection id.
threshold – Threshold in packets.
is_orig – If true, threshold is set for packets from originator, otherwise for packets from responder.

set_current_conn_duration_threshold

Type: function (cid: conn_id, threshold: interval) : bool

Sets the current duration threshold for connection, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_duration_threshold).

Parameters

cid – The connection id.
threshold – Threshold in seconds.

get_current_conn_bytes_threshold

Type

function (cid: conn_id, is_orig: bool) : count

Parameters

cid – The connection id.
is_orig – If true, threshold of originator, otherwise threshold of responder.

Returns

0 if no threshold is set or the threshold in bytes

get_current_conn_packets_threshold

Type: function (cid: conn_id, is_orig: bool) : count

Gets the current packet threshold size for a connection.

Parameters

cid – The connection id.
is_orig – If true, threshold of originator, otherwise threshold of responder.

Returns

0 if no threshold is set or the threshold in packets

get_current_conn_duration_threshold

Type: function (cid: conn_id) : interval

Gets the current duration threshold size for a connection.

Parameters: cid – The connection id.
Returns: 0 if no threshold is set or the threshold in seconds

Zeek::DCE_RPC

DCE-RPC analyzer

Components

Analyzer::ANALYZER_DCE_RPC

Options/Constants

DCE_RPC::max_cmd_reassembly 

Type: count
Attributes: &redef
Default: 20

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data 

Type: count
Attributes: &redef
Default: 30000

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

Types

DCE_RPC::PType

Type

enum

DCE_RPC::REQUEST

DCE_RPC::PING

DCE_RPC::RESPONSE

DCE_RPC::FAULT

DCE_RPC::WORKING

DCE_RPC::NOCALL

DCE_RPC::REJECT

DCE_RPC::ACK

DCE_RPC::CL_CANCEL

DCE_RPC::FACK

DCE_RPC::CANCEL_ACK

DCE_RPC::BIND

DCE_RPC::BIND_ACK

DCE_RPC::BIND_NAK

DCE_RPC::ALTER_CONTEXT

DCE_RPC::ALTER_CONTEXT_RESP

DCE_RPC::AUTH3

DCE_RPC::SHUTDOWN

DCE_RPC::CO_CANCEL

DCE_RPC::ORPHANED

DCE_RPC::RTS

DCE_RPC::IfID

Type

enum

DCE_RPC::unknown_if

DCE_RPC::epmapper

DCE_RPC::lsarpc

DCE_RPC::lsa_ds

DCE_RPC::mgmt

DCE_RPC::netlogon

DCE_RPC::samr

DCE_RPC::srvsvc

DCE_RPC::spoolss

DCE_RPC::drs

DCE_RPC::winspipe

DCE_RPC::wkssvc

DCE_RPC::oxid

DCE_RPC::ISCMActivator

Events

dce_rpc_message

Type: event (c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType)

Generated for every DCE-RPC message.

Parameters

c – The connection.
is_orig – True if the message was sent by the originator of the TCP connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ptype_id – Numeric representation of the procedure type of the message.
ptype – Enum representation of the procedure type of the message.

dce_rpc_bind 

Type: event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

Parameters

c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
uuid – The string interpreted uuid of the endpoint being requested.
ver_major – The major version of the endpoint being requested.
ver_minor – The minor version of the endpoint being requested.

dce_rpc_alter_context 

Type: event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

Parameters

c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
uuid – The string interpreted uuid of the endpoint being requested.
ver_major – The major version of the endpoint being requested.
ver_minor – The minor version of the endpoint being requested.

dce_rpc_bind_ack 

Type: event (c: connection, fid: count, sec_addr: string)

Generated for every DCE-RPC bind request ack message.

Parameters

c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
sec_addr – Secondary address for the ack.

dce_rpc_alter_context_resp 

Type: event (c: connection, fid: count)

Generated for every DCE-RPC alter context response message.

Parameters

c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

dce_rpc_request 

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC request message.

Parameters

c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub_len – Length of the data for the request.

dce_rpc_response

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC response message.

Parameters

c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub_len – Length of the data for the response.

dce_rpc_request_stub

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC request message.

Parameters

c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub – The data for the request.

dce_rpc_response_stub

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC response message.

Parameters

c – The connection.
fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
ctx_id – The context identifier of the data representation.
opnum – Number of the RPC operation.
stub – The data for the response.

Zeek::DHCP

DHCP analyzer

Components

Analyzer::ANALYZER_DHCP

Types

DHCP::Msg 

Type

record

op: count: Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
m_type: count: The type of DHCP message.
xid: count: Transaction ID of a DHCP session.
secs: interval: Number of seconds since client began address acquisition or renewal process

flags: count

ciaddr: addr: Original IP address of the client.
yiaddr: addr: IP address assigned to the client.
siaddr: addr: IP address of the server.
giaddr: addr: IP address of the relaying gateway.
chaddr: string: Client hardware address.
sname: string &default = "" &optional: Server host name.
file_n: string &default = "" &optional: Boot file name.

A DHCP message. .. zeek:see:: dhcp_message

DHCP::Addrs 

Type: vector of addr

A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.

Events

dhcp_message 

Type: event (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)

Generated for all DHCP messages.

Parameters

c – The connection record describing the underlying UDP flow.
is_orig – Indicate if the message came in a packet from the originator/client of the udp flow or the responder/server.
msg – The parsed type-independent part of the DHCP message. The message type is indicated in this record.
options – The full set of supported and parsed DHCP options.

Zeek::DNP3

DNP3 UDP/TCP analyzers

Components

Analyzer::ANALYZER_DNP3_TCP

Analyzer::ANALYZER_DNP3_UDP

Events

dnp3_application_request_header 

Type: event (c: connection, is_orig: bool, application: count, fc: count)

Generated for a DNP3 request header.

Parameters

c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
fc – function code.

dnp3_application_response_header 

Type: event (c: connection, is_orig: bool, application: count, fc: count, iin: count)

Generated for a DNP3 response header.

Parameters

c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
fc – function code.
iin – internal indication number.

dnp3_object_header

Type: event (c: connection, is_orig: bool, obj_type: count, qua_field: count, number: count, rf_low: count, rf_high: count)

Generated for the object header found in both DNP3 requests and responses.

Parameters

c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
obj_type – type of object, which is classified based on an 8-bit group number and an 8-bit variation number.
qua_field – qualifier field.
number – TODO.
rf_low – the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values.
rf_high – in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index.

dnp3_object_prefix

Type: event (c: connection, is_orig: bool, prefix_value: count)

Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.

Parameters

c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
prefix_value – The prefix.

dnp3_header_block

Type: event (c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count)

Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).

Parameters

c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
len – the “length” field in the DNP3 Pseudo Link Layer.
ctrl – the “control” field in the DNP3 Pseudo Link Layer.
dest_addr – the “destination” field in the DNP3 Pseudo Link Layer.
src_addr – the “source” field in the DNP3 Pseudo Link Layer.

dnp3_response_data_object

Type: event (c: connection, is_orig: bool, data_value: count)

Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16_t, or int8_t; thus we use an additional data_value to record the values of those object data.

Parameters

c – The connection the DNP3 communication is part of.
is_orig – True if this reflects originator-side activity.
data_value – The value for those objects that carry their information here directly.

dnp3_attribute_common

Type: event (c: connection, is_orig: bool, data_type_code: count, leng: count, attribute_obj: string)

Generated for DNP3 attributes.

dnp3_crob

Type: event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 1

Parameters: CROB – control relay output block

dnp3_pcb

Type: event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 2

Parameters: PCB – Pattern Control Block

dnp3_counter_32wFlag

Type: event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag

dnp3_counter_16wFlag

Type: event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag

dnp3_counter_32woFlag

Type: event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag

dnp3_counter_16woFlag

Type: event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag

dnp3_frozen_counter_32wFlag

Type: event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag

dnp3_frozen_counter_16wFlag

Type: event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag

dnp3_frozen_counter_32wFlagTime

Type: event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time

dnp3_frozen_counter_16wFlagTime

Type: event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time

dnp3_frozen_counter_32woFlag

Type: event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag

dnp3_frozen_counter_16woFlag

Type: event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag

dnp3_analog_input_32wFlag

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag

dnp3_analog_input_16wFlag

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag

dnp3_analog_input_32woFlag

Type: event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag

dnp3_analog_input_16woFlag

Type: event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag

dnp3_analog_input_SPwFlag

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag

dnp3_analog_input_DPwFlag

Type: event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag

dnp3_frozen_analog_input_32wFlag

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag

dnp3_frozen_analog_input_16wFlag

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag

dnp3_frozen_analog_input_32wTime

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze

dnp3_frozen_analog_input_16wTime

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze

dnp3_frozen_analog_input_32woFlag

Type: event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag

dnp3_frozen_analog_input_16woFlag

Type: event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag

dnp3_frozen_analog_input_SPwFlag

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag

dnp3_frozen_analog_input_DPwFlag

Type: event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag

dnp3_analog_input_event_32woTime

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time

dnp3_analog_input_event_16woTime

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time

dnp3_analog_input_event_32wTime

Type: event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time

dnp3_analog_input_event_16wTime

Type: event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time

dnp3_analog_input_event_SPwoTime

Type: event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time

dnp3_analog_input_event_DPwoTime

Type: event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time

dnp3_analog_input_event_SPwTime

Type: event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time

dnp3_analog_input_event_DPwTime

Type: event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precision float point with time

dnp3_frozen_analog_input_event_32woTime

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time

dnp3_frozen_analog_input_event_16woTime

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time

dnp3_frozen_analog_input_event_32wTime

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time

dnp3_frozen_analog_input_event_16wTime

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time

dnp3_frozen_analog_input_event_SPwoTime

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time

dnp3_frozen_analog_input_event_DPwoTime

Type: event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time

dnp3_frozen_analog_input_event_SPwTime

Type: event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time

dnp3_frozen_analog_input_event_DPwTime

Type: event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count)

Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time

dnp3_file_transport

Type: event (c: connection, is_orig: bool, file_handle: count, block_num: count, file_data: string)

g70

dnp3_debug_byte

Type: event (c: connection, is_orig: bool, debug: string)

Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.

Zeek::DNS

DNS analyzer

Components

Analyzer::ANALYZER_CONTENTS_DNS

Analyzer::ANALYZER_DNS

Events

dns_message 

Type: event (c: connection, is_orig: bool, msg: dns_msg, len: count)

Generated for all DNS messages.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
is_orig – True if the message was sent by the originator of the connection.
msg – The parsed DNS message header.
len – The length of the message’s raw representation (i.e., the DNS payload).

dns_request

Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)
Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS requests. For requests with multiple queries, this event is raised once for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
query – The queried name (normalized to all lowercase).
qtype – The queried resource record type.
qclass – The queried resource record class.
original_query – The queried name, with the original case kept intact

dns_rejected 

Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)
Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
query – The queried name (normalized to all lowercase).
qtype – The queried resource record type.
qclass – The queried resource record class.
original_query – The queried name, with the original case kept intact

dns_query_reply

Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)
Type: event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for each entry in the Question section of a DNS reply.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
query – The queried name.
qtype – The queried resource record type.
qclass – The queried resource record class.
original_query – The queried name, with the original case kept intact

dns_A_reply

Type: event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
a – The address returned by the reply.

dns_AAAA_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
a – The address returned by the reply.

dns_A6_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
a – The address returned by the reply.

dns_NS_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.

dns_CNAME_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.

dns_PTR_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.

dns_SOA_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
soa – The parsed SOA value.

dns_WKS_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.

dns_HINFO_reply

Type: event (c: connection, msg: dns_msg, ans: dns_answer, cpu: string, os: string)

Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.

dns_MX_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count)

Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
name – The name returned by the reply.
preference – The preference for name specified by the reply.

dns_TXT_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
strs – The textual information returned by the reply.

dns_SPF_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type SPF. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
strs – The textual information returned by the reply.

dns_CAA_reply

Type: event (c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)

Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
flags – The flags byte of the CAA reply.
tag – The property identifier of the CAA reply.
value – The property value of the CAA reply.

dns_SRV_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count)

Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
target – Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot.
priority – Priority of the SRV response – the priority of the target host, lower value means more preferred.
weight – Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred.
p – Port of the SRV response – the TCP or UDP port on which the service is to be found.

dns_unknown_reply 

Type: event (c: connection, msg: dns_msg, ans: dns_answer)

Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.

dns_EDNS_addl

Type: event (c: connection, msg: dns_msg, ans: dns_edns_additional)

Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The parsed EDNS reply.

dns_EDNS_ecs

Type: event (c: connection, msg: dns_msg, opt: dns_edns_ecs)

Generated for DNS replies of type EDNS. For replies with multiple options, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
opt – The parsed EDNS option.

dns_EDNS_tcp_keepalive

Type: event (c: connection, msg: dns_msg, opt: dns_edns_tcp_keepalive)

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 11. For replies with multiple option fields, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. See RFC7828 for more information about EDNS0 TCP keepalive. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
opt – The parsed EDNS Keepalive option.

dns_EDNS_cookie

Type: event (c: connection, msg: dns_msg, opt: dns_edns_cookie)

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 10. For replies with multiple options fields, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. See RFC7873 for more information about EDNS0 cookie. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
opt – The parsed EDNS Cookie option.

dns_TSIG_addl

Type: event (c: connection, msg: dns_msg, ans: dns_tsig_additional)

Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The parsed TSIG reply.

dns_RRSIG 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)

Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
rrsig – The parsed RRSIG record.

dns_DNSKEY 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)

Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
dnskey – The parsed DNSKEY record.

dns_NSEC 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)

Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
next_name – The parsed next secure domain name.
bitmaps – vector of strings in hex for the bit maps present.

dns_NSEC3 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)

Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
nsec3 – The parsed RDATA of Nsec3 record.

dns_NSEC3PARAM 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr)

Generated for DNS replies of type NSEC3PARAM. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
nsec3param – The parsed RDATA of NSEC3PARAM record.

dns_DS 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)

Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
ds – The parsed RDATA of DS record.

dns_BINDS 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr)

Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
binds – The parsed RDATA of BIND-Signing state record.

dns_SSHFP 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string)

Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
binds – The parsed RDATA of BIND-Signing state record.

dns_LOC 

Type: event (c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr)

Generated for DNS replies of type LOC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
loc – The parsed RDATA of LOC type record.

dns_SVCB

Type: event (c: connection, msg: dns_msg, ans: dns_answer, svcb: dns_svcb_rr)

Generated for DNS replies of type SVCB (General Purpose Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
svcb – The parsed RDATA of SVCB type record.

dns_HTTPS

Type: event (c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_rr)

Generated for DNS replies of type HTTPS (HTTPS Specific Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. Since SVCB and HTTPS records share the same wire format layout, the argument https is dns_svcb_rr. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.
ans – The type-independent part of the parsed answer record.
https – The parsed RDATA of HTTPS type record.

dns_end

Type: event (c: connection, msg: dns_msg)

Generated at the end of processing a DNS packet. This event is the last dns_* event that will be raised for a DNS query/reply and signals that all resource records have been passed on.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters

c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
msg – The parsed DNS message header.

Zeek::File

Generic file analyzer

Components

Analyzer::ANALYZER_FTP_DATA

Events

file_transferred 

Type: event (c: connection, prefix: string, descr: string, mime_type: string)

Generated when a TCP connection associated w/ file data transfer is seen (e.g. as happens w/ FTP or IRC).

Parameters

c – The connection over which file data is transferred.
prefix – Up to 1024 bytes of the file data.
descr – Deprecated/unused argument.
mime_type – MIME type of the file or “<unknown>” if no file magic signatures matched.

Zeek::Finger

Finger analyzer

Components

Analyzer::ANALYZER_FINGER

Events

finger_request 

Type: event (c: connection, full: bool, username: string, hostname: string)

Generated for Finger requests.

See Wikipedia for more information about the Finger protocol.

Parameters

c – The connection.
full – True if verbose information is requested (/W switch).
username – The request’s user name.
hostname – The request’s host name.

Zeek::FTP

FTP analyzer

Components

Analyzer::ANALYZER_FTP

Analyzer::ANALYZER_FTP_ADAT

Types

ftp_port 

Type

record

h: addr: The host’s address.
p: port: The host’s port.
valid: bool: True if format was right. Only then are h and p valid.

A parsed host/port combination describing server endpoint for an upcoming data transfer.

Events

ftp_request

Type: event (c: connection, command: string, arg: string)

Generated for client-side FTP commands.

See Wikipedia for more information about the FTP protocol.

Parameters

c – The connection.
command – The FTP command issued by the client (without any arguments).
arg – The arguments going with the command.

ftp_reply

Type: event (c: connection, code: count, msg: string, cont_resp: bool)

Generated for server-side FTP replies.

See Wikipedia for more information about the FTP protocol.

Parameters

c – The connection.
code – The numerical response code the server responded with.
msg – The textual message of the response.
cont_resp – True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.

Functions

parse_ftp_port

Type: function (s: string) : ftp_port

Converts a string representation of the FTP PORT command to an ftp_port.

Parameters: s – The string of the FTP PORT command, e.g., "10,0,0,1,4,31".
Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

parse_eftp_port

Type: function (s: string) : ftp_port

Converts a string representation of the FTP EPRT command (see RFC 2428) to an ftp_port. The format is "EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>", where <d> is a delimiter in the ASCII range 33-126 (usually |).

Parameters: s – The string of the FTP EPRT command, e.g., "|1|10.0.0.1|1055|".
Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

parse_ftp_pasv

Type: function (str: string) : ftp_port

Converts the result of the FTP PASV command to an ftp_port.

Parameters: str – The string containing the result of the FTP PASV command.
Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

parse_ftp_epsv

Type: function (str: string) : ftp_port

Converts the result of the FTP EPSV command (see RFC 2428) to an ftp_port. The format is "<text> (<d><d><d><tcp-port><d>)", where <d> is a delimiter in the ASCII range 33-126 (usually |).

Parameters: str – The string containing the result of the FTP EPSV command.
Returns: The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

fmt_ftp_port

Type: function (a: addr, p: port) : string

Formats an IP address and TCP port as an FTP PORT command. For example, 10.0.0.1 and 1055/tcp yields "10,0,0,1,4,31".

Parameters

a – The IP address.
p – The TCP port.

Returns

The FTP PORT string.

Zeek::Gnutella

Gnutella analyzer

Components

Analyzer::ANALYZER_GNUTELLA

Events

gnutella_text_msg

Type: event (c: connection, orig: bool, headers: string)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_binary_msg

Type: event (c: connection, orig: bool, msg_type: count, ttl: count, hops: count, msg_len: count, payload: string, payload_len: count, trunc: bool, complete: bool)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_partial_binary_msg

Type: event (c: connection, orig: bool, msg: string, len: count)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_establish

Type: event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_not_establish

Type: event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_http_notify

Type: event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::GSSAPI

GSSAPI analyzer

Components

Analyzer::ANALYZER_GSSAPI

Events

gssapi_neg_result

Type: event (c: connection, state: count)

Generated for GSSAPI negotiation results.

Parameters

c – The connection.
state – The resulting state of the negotiation.

Zeek::HTTP

HTTP analyzer

Components

Analyzer::ANALYZER_HTTP

Events

http_request

Type: event (c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)

Generated for HTTP requests. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a request’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

Parameters

c – The connection.
method – The HTTP method extracted from the request (e.g., GET, POST).
original_URI – The unprocessed URI as specified in the request.
unescaped_URI – The URI with all percent-encodings decoded.
version – The version number specified in the request (e.g., 1.1).

http_reply 

Type: event (c: connection, version: string, code: count, reason: string)

Generated for HTTP replies. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a reply’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

Parameters

c – The connection.
version – The version number specified in the reply (e.g., 1.1).
code – The numerical response code returned by the server.
reason – The textual description returned by the server along with code.