Protocol Analyzers

Analyzer::Tag
Type

enum

Analyzer::ANALYZER_BITTORRENT
Analyzer::ANALYZER_BITTORRENTTRACKER
Analyzer::ANALYZER_CONNSIZE
Analyzer::ANALYZER_DCE_RPC
Analyzer::ANALYZER_DHCP
Analyzer::ANALYZER_DNP3_TCP
Analyzer::ANALYZER_DNP3_UDP
Analyzer::ANALYZER_CONTENTS_DNS
Analyzer::ANALYZER_DNS
Analyzer::ANALYZER_FTP_DATA
Analyzer::ANALYZER_FTP
Analyzer::ANALYZER_FTP_ADAT
Analyzer::ANALYZER_GNUTELLA
Analyzer::ANALYZER_GSSAPI
Analyzer::ANALYZER_HTTP
Analyzer::ANALYZER_ICMP
Analyzer::ANALYZER_IDENT
Analyzer::ANALYZER_IMAP
Analyzer::ANALYZER_IRC
Analyzer::ANALYZER_IRC_DATA
Analyzer::ANALYZER_KRB
Analyzer::ANALYZER_KRB_TCP
Analyzer::ANALYZER_CONTENTS_RLOGIN
Analyzer::ANALYZER_CONTENTS_RSH
Analyzer::ANALYZER_LOGIN
Analyzer::ANALYZER_NVT
Analyzer::ANALYZER_RLOGIN
Analyzer::ANALYZER_RSH
Analyzer::ANALYZER_TELNET
Analyzer::ANALYZER_MODBUS
Analyzer::ANALYZER_MQTT
Analyzer::ANALYZER_MYSQL
Analyzer::ANALYZER_CONTENTS_NCP
Analyzer::ANALYZER_NCP
Analyzer::ANALYZER_CONTENTS_NETBIOSSSN
Analyzer::ANALYZER_NETBIOSSSN
Analyzer::ANALYZER_NTLM
Analyzer::ANALYZER_NTP
Analyzer::ANALYZER_PIA_TCP
Analyzer::ANALYZER_PIA_UDP
Analyzer::ANALYZER_POP3
Analyzer::ANALYZER_RADIUS
Analyzer::ANALYZER_RDP
Analyzer::ANALYZER_RDPEUDP
Analyzer::ANALYZER_RFB
Analyzer::ANALYZER_CONTENTS_NFS
Analyzer::ANALYZER_CONTENTS_RPC
Analyzer::ANALYZER_MOUNT
Analyzer::ANALYZER_NFS
Analyzer::ANALYZER_PORTMAPPER
Analyzer::ANALYZER_SIP
Analyzer::ANALYZER_CONTENTS_SMB
Analyzer::ANALYZER_SMB
Analyzer::ANALYZER_SMTP
Analyzer::ANALYZER_SMTP_BDAT
Analyzer::ANALYZER_SNMP
Analyzer::ANALYZER_SOCKS
Analyzer::ANALYZER_FINGER
Analyzer::ANALYZER_LDAP_TCP
Analyzer::ANALYZER_LDAP_UDP
Analyzer::ANALYZER_QUIC
Analyzer::ANALYZER_SYSLOG
Analyzer::ANALYZER_SPICY_WEBSOCKET
Analyzer::ANALYZER_SSH
Analyzer::ANALYZER_DTLS
Analyzer::ANALYZER_SSL
Analyzer::ANALYZER_CONTENTLINE
Analyzer::ANALYZER_CONTENTS
Analyzer::ANALYZER_TCPSTATS
Analyzer::ANALYZER_TCP
Analyzer::ANALYZER_UDP
Analyzer::ANALYZER_WEBSOCKET
Analyzer::ANALYZER_XMPP
Analyzer::ANALYZER_ZIP
AllAnalyzers::Tag
Type

enum

AllAnalyzers::PACKETANALYZER_ANALYZER_ARP
AllAnalyzers::PACKETANALYZER_ANALYZER_AYIYA
AllAnalyzers::ANALYZER_ANALYZER_BITTORRENT
AllAnalyzers::ANALYZER_ANALYZER_BITTORRENTTRACKER
AllAnalyzers::ANALYZER_ANALYZER_CONNSIZE
AllAnalyzers::ANALYZER_ANALYZER_DCE_RPC
AllAnalyzers::ANALYZER_ANALYZER_DHCP
AllAnalyzers::ANALYZER_ANALYZER_DNP3_TCP
AllAnalyzers::ANALYZER_ANALYZER_DNP3_UDP
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_DNS
AllAnalyzers::ANALYZER_ANALYZER_DNS
AllAnalyzers::PACKETANALYZER_ANALYZER_ETHERNET
AllAnalyzers::PACKETANALYZER_ANALYZER_FDDI
AllAnalyzers::ANALYZER_ANALYZER_FTP_DATA
AllAnalyzers::FILES_ANALYZER_DATA_EVENT
AllAnalyzers::FILES_ANALYZER_ENTROPY
AllAnalyzers::FILES_ANALYZER_EXTRACT
AllAnalyzers::FILES_ANALYZER_MD5
AllAnalyzers::FILES_ANALYZER_SHA1
AllAnalyzers::FILES_ANALYZER_SHA256
AllAnalyzers::ANALYZER_ANALYZER_FTP
AllAnalyzers::ANALYZER_ANALYZER_FTP_ADAT
AllAnalyzers::PACKETANALYZER_ANALYZER_GENEVE
AllAnalyzers::ANALYZER_ANALYZER_GNUTELLA
AllAnalyzers::PACKETANALYZER_ANALYZER_GRE
AllAnalyzers::ANALYZER_ANALYZER_GSSAPI
AllAnalyzers::PACKETANALYZER_ANALYZER_GTPV1
AllAnalyzers::ANALYZER_ANALYZER_HTTP
AllAnalyzers::PACKETANALYZER_ANALYZER_ICMP
AllAnalyzers::ANALYZER_ANALYZER_ICMP
AllAnalyzers::ANALYZER_ANALYZER_IDENT
AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11
AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11_RADIO
AllAnalyzers::ANALYZER_ANALYZER_IMAP
AllAnalyzers::PACKETANALYZER_ANALYZER_IP
AllAnalyzers::PACKETANALYZER_ANALYZER_IPTUNNEL
AllAnalyzers::ANALYZER_ANALYZER_IRC
AllAnalyzers::ANALYZER_ANALYZER_IRC_DATA
AllAnalyzers::ANALYZER_ANALYZER_KRB
AllAnalyzers::ANALYZER_ANALYZER_KRB_TCP
AllAnalyzers::PACKETANALYZER_ANALYZER_LINUXSLL
AllAnalyzers::PACKETANALYZER_ANALYZER_LINUXSLL2
AllAnalyzers::PACKETANALYZER_ANALYZER_LLC
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RLOGIN
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RSH
AllAnalyzers::ANALYZER_ANALYZER_LOGIN
AllAnalyzers::ANALYZER_ANALYZER_NVT
AllAnalyzers::ANALYZER_ANALYZER_RLOGIN
AllAnalyzers::ANALYZER_ANALYZER_RSH
AllAnalyzers::ANALYZER_ANALYZER_TELNET
AllAnalyzers::ANALYZER_ANALYZER_MODBUS
AllAnalyzers::PACKETANALYZER_ANALYZER_MPLS
AllAnalyzers::ANALYZER_ANALYZER_MQTT
AllAnalyzers::ANALYZER_ANALYZER_MYSQL
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NCP
AllAnalyzers::ANALYZER_ANALYZER_NCP
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NETBIOSSSN
AllAnalyzers::ANALYZER_ANALYZER_NETBIOSSSN
AllAnalyzers::PACKETANALYZER_ANALYZER_NFLOG
AllAnalyzers::PACKETANALYZER_ANALYZER_NOVELL_802_3
AllAnalyzers::ANALYZER_ANALYZER_NTLM
AllAnalyzers::ANALYZER_ANALYZER_NTP
AllAnalyzers::PACKETANALYZER_ANALYZER_NULL
AllAnalyzers::PACKETANALYZER_ANALYZER_PBB
AllAnalyzers::FILES_ANALYZER_PE
AllAnalyzers::ANALYZER_ANALYZER_PIA_TCP
AllAnalyzers::ANALYZER_ANALYZER_PIA_UDP
AllAnalyzers::ANALYZER_ANALYZER_POP3
AllAnalyzers::PACKETANALYZER_ANALYZER_PPP
AllAnalyzers::PACKETANALYZER_ANALYZER_PPPOE
AllAnalyzers::PACKETANALYZER_ANALYZER_PPPSERIAL
AllAnalyzers::ANALYZER_ANALYZER_RADIUS
AllAnalyzers::ANALYZER_ANALYZER_RDP
AllAnalyzers::ANALYZER_ANALYZER_RDPEUDP
AllAnalyzers::ANALYZER_ANALYZER_RFB
AllAnalyzers::PACKETANALYZER_ANALYZER_ROOT
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NFS
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RPC
AllAnalyzers::ANALYZER_ANALYZER_MOUNT
AllAnalyzers::ANALYZER_ANALYZER_NFS
AllAnalyzers::ANALYZER_ANALYZER_PORTMAPPER
AllAnalyzers::ANALYZER_ANALYZER_SIP
AllAnalyzers::PACKETANALYZER_ANALYZER_SKIP
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_SMB
AllAnalyzers::ANALYZER_ANALYZER_SMB
AllAnalyzers::ANALYZER_ANALYZER_SMTP
AllAnalyzers::ANALYZER_ANALYZER_SMTP_BDAT
AllAnalyzers::PACKETANALYZER_ANALYZER_SNAP
AllAnalyzers::ANALYZER_ANALYZER_SNMP
AllAnalyzers::ANALYZER_ANALYZER_SOCKS
AllAnalyzers::ANALYZER_ANALYZER_FINGER
AllAnalyzers::ANALYZER_ANALYZER_LDAP_TCP
AllAnalyzers::ANALYZER_ANALYZER_LDAP_UDP
AllAnalyzers::ANALYZER_ANALYZER_QUIC
AllAnalyzers::ANALYZER_ANALYZER_SYSLOG
AllAnalyzers::ANALYZER_ANALYZER_SPICY_WEBSOCKET
AllAnalyzers::ANALYZER_ANALYZER_SSH
AllAnalyzers::ANALYZER_ANALYZER_DTLS
AllAnalyzers::ANALYZER_ANALYZER_SSL
AllAnalyzers::ANALYZER_ANALYZER_CONTENTLINE
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS
AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS
AllAnalyzers::PACKETANALYZER_ANALYZER_TCP
AllAnalyzers::ANALYZER_ANALYZER_TCP
AllAnalyzers::PACKETANALYZER_ANALYZER_TEREDO
AllAnalyzers::PACKETANALYZER_ANALYZER_UDP
AllAnalyzers::ANALYZER_ANALYZER_UDP
AllAnalyzers::PACKETANALYZER_ANALYZER_VLAN
AllAnalyzers::PACKETANALYZER_ANALYZER_VNTAG
AllAnalyzers::PACKETANALYZER_ANALYZER_VXLAN
AllAnalyzers::ANALYZER_ANALYZER_WEBSOCKET
AllAnalyzers::FILES_ANALYZER_OCSP_REPLY
AllAnalyzers::FILES_ANALYZER_OCSP_REQUEST
AllAnalyzers::FILES_ANALYZER_X509
AllAnalyzers::ANALYZER_ANALYZER_XMPP
AllAnalyzers::ANALYZER_ANALYZER_ZIP

Zeek::BitTorrent

BitTorrent Analyzer

Components

Analyzer::ANALYZER_BITTORRENT

Analyzer::ANALYZER_BITTORRENTTRACKER

Events

bittorrent_peer_handshake
Type

event (c: connection, is_orig: bool, reserved: string, info_hash: string, peer_id: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_keep_alive
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_choke
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_unchoke
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_interested
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_not_interested
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_have
Type

event (c: connection, is_orig: bool, piece_index: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_bitfield
Type

event (c: connection, is_orig: bool, bitfield: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_request
Type

event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_piece
Type

event (c: connection, is_orig: bool, index: count, begin: count, piece_length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_cancel
Type

event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_port
Type

event (c: connection, is_orig: bool, listen_port: port)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bittorrent_peer_unknown
Type

event (c: connection, is_orig: bool, message_id: count, data: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_weird

bittorrent_peer_weird
Type

event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown

bt_tracker_request
Type

event (c: connection, uri: string, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bt_tracker_response
Type

event (c: connection, status: count, headers: bt_tracker_headers, peers: bittorrent_peer_set, benc: bittorrent_benc_dir)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bt_tracker_response_not_ok
Type

event (c: connection, status: count, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

bt_tracker_weird
Type

event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also: bittorrent_peer_bitfield, bittorrent_peer_cancel, bittorrent_peer_choke, bittorrent_peer_handshake, bittorrent_peer_have, bittorrent_peer_interested, bittorrent_peer_keep_alive, bittorrent_peer_not_interested, bittorrent_peer_piece, bittorrent_peer_port, bittorrent_peer_request, bittorrent_peer_unchoke, bittorrent_peer_unknown, bittorrent_peer_weird

Zeek::ConnSize

Connection size analyzer

Components

Analyzer::ANALYZER_CONNSIZE

Events

conn_bytes_threshold_crossed
Type

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.

Parameters
  • c – the connection

  • threshold – the threshold that was set

  • is_orig – true if the threshold was crossed by the originator of the connection

See also: set_current_conn_packets_threshold, set_current_conn_bytes_threshold, conn_packets_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold, conn_duration_threshold_crossed, set_current_conn_duration_threshold, get_current_conn_duration_threshold

conn_packets_threshold_crossed
Type

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::packets_threshold_crossed instead.

Parameters
  • c – the connection

  • threshold – the threshold that was set

  • is_orig – true if the threshold was crossed by the originator of the connection

See also: set_current_conn_packets_threshold, set_current_conn_bytes_threshold, conn_bytes_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold, conn_duration_threshold_crossed, set_current_conn_duration_threshold, get_current_conn_duration_threshold

conn_duration_threshold_crossed
Type

event (c: connection, threshold: interval, is_orig: bool)

Generated for a connection that crossed a set duration threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::duration_threshold_crossed instead.

Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.

Parameters
  • c – the connection

  • threshold – the threshold that was set

  • is_orig – true if the threshold was crossed by the originator of the connection

See also: set_current_conn_packets_threshold, set_current_conn_bytes_threshold, conn_bytes_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold, set_current_conn_duration_threshold, get_current_conn_duration_threshold

Functions

set_current_conn_bytes_threshold
Type

function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets the current byte threshold for connection sizes, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_bytes_threshold).

Parameters
  • cid – The connection id.

  • threshold – Threshold in bytes.

  • is_orig – If true, threshold is set for bytes from originator, otherwise for bytes from responder.

See also: set_current_conn_packets_threshold, conn_bytes_threshold_crossed, conn_packets_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold, set_current_conn_duration_threshold, get_current_conn_duration_threshold

set_current_conn_packets_threshold
Type

function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets a threshold for connection packets, overwriting any potential old thresholds. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_packets_threshold).

Parameters
  • cid – The connection id.

  • threshold – Threshold in packets.

  • is_orig – If true, threshold is set for packets from originator, otherwise for packets from responder.

See also: set_current_conn_bytes_threshold, conn_bytes_threshold_crossed, conn_packets_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold, set_current_conn_duration_threshold, get_current_conn_duration_threshold

set_current_conn_duration_threshold
Type

function (cid: conn_id, threshold: interval) : bool

Sets the current duration threshold for connection, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_duration_threshold).

Parameters
  • cid – The connection id.

  • threshold – Threshold in seconds.

See also: set_current_conn_packets_threshold, conn_bytes_threshold_crossed, conn_packets_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold, get_current_conn_duration_threshold

get_current_conn_bytes_threshold
Type

function (cid: conn_id, is_orig: bool) : count

Parameters
  • cid – The connection id.

  • is_orig – If true, threshold of originator, otherwise threshold of responder.

Returns

0 if no threshold is set or the threshold in bytes

See also: set_current_conn_packets_threshold, conn_bytes_threshold_crossed, conn_packets_threshold_crossed, get_current_conn_packets_threshold, set_current_conn_duration_threshold, get_current_conn_duration_threshold

get_current_conn_packets_threshold
Type

function (cid: conn_id, is_orig: bool) : count

Gets the current packet threshold size for a connection.

Parameters
  • cid – The connection id.

  • is_orig – If true, threshold of originator, otherwise threshold of responder.

Returns

0 if no threshold is set or the threshold in packets

See also: set_current_conn_packets_threshold, conn_bytes_threshold_crossed, conn_packets_threshold_crossed, get_current_conn_bytes_threshold, set_current_conn_duration_threshold, get_current_conn_duration_threshold

get_current_conn_duration_threshold
Type

function (cid: conn_id) : interval

Gets the current duration threshold size for a connection.

Parameters

cid – The connection id.

Returns

0 if no threshold is set or the threshold in seconds

See also: set_current_conn_packets_threshold, conn_bytes_threshold_crossed, conn_packets_threshold_crossed, get_current_conn_packets_threshold, set_current_conn_duration_threshold

Zeek::DCE_RPC

DCE-RPC analyzer

Components

Analyzer::ANALYZER_DCE_RPC

Options/Constants

DCE_RPC::max_cmd_reassembly
Type

count

Attributes

&redef

Default

20

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data
Type

count

Attributes

&redef

Default

30000

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

Types

DCE_RPC::PType
Type

enum

DCE_RPC::REQUEST
DCE_RPC::PING
DCE_RPC::RESPONSE
DCE_RPC::FAULT
DCE_RPC::WORKING
DCE_RPC::NOCALL
DCE_RPC::REJECT
DCE_RPC::ACK
DCE_RPC::CL_CANCEL
DCE_RPC::FACK
DCE_RPC::CANCEL_ACK
DCE_RPC::BIND
DCE_RPC::BIND_ACK
DCE_RPC::BIND_NAK
DCE_RPC::ALTER_CONTEXT
DCE_RPC::ALTER_CONTEXT_RESP
DCE_RPC::AUTH3
DCE_RPC::SHUTDOWN
DCE_RPC::CO_CANCEL
DCE_RPC::ORPHANED
DCE_RPC::RTS
DCE_RPC::IfID
Type

enum

DCE_RPC::unknown_if
DCE_RPC::epmapper
DCE_RPC::lsarpc
DCE_RPC::lsa_ds
DCE_RPC::mgmt
DCE_RPC::netlogon
DCE_RPC::samr
DCE_RPC::srvsvc
DCE_RPC::spoolss
DCE_RPC::drs
DCE_RPC::winspipe
DCE_RPC::wkssvc
DCE_RPC::oxid
DCE_RPC::ISCMActivator

Events

dce_rpc_message
Type

event (c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType)

Generated for every DCE-RPC message.

Parameters
  • c – The connection.

  • is_orig – True if the message was sent by the originator of the TCP connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ptype_id – Numeric representation of the procedure type of the message.

  • ptype – Enum representation of the procedure type of the message.

See also: dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response

dce_rpc_bind
Type

event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

Parameters
  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • uuid – The string interpreted uuid of the endpoint being requested.

  • ver_major – The major version of the endpoint being requested.

  • ver_minor – The minor version of the endpoint being requested.

See also: dce_rpc_message, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response

dce_rpc_alter_context
Type

event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

Parameters
  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • uuid – The string interpreted uuid of the endpoint being requested.

  • ver_major – The major version of the endpoint being requested.

  • ver_minor – The minor version of the endpoint being requested.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response, dce_rpc_alter_context_resp

dce_rpc_bind_ack
Type

event (c: connection, fid: count, sec_addr: string)

Generated for every DCE-RPC bind request ack message.

Parameters
  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • sec_addr – Secondary address for the ack.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_request, dce_rpc_response

dce_rpc_alter_context_resp
Type

event (c: connection, fid: count)

Generated for every DCE-RPC alter context response message.

Parameters
  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response, dce_rpc_alter_context

dce_rpc_request
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC request message.

Parameters
  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • opnum – Number of the RPC operation.

  • stub_len – Length of the data for the request.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_response, dce_rpc_request_stub

dce_rpc_response
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC response message.

Parameters
  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • opnum – Number of the RPC operation.

  • stub_len – Length of the data for the response.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response_stub

dce_rpc_request_stub
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC request message.

Parameters
  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • opnum – Number of the RPC operation.

  • stub – The data for the request.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_response_stub, dce_rpc_request

dce_rpc_response_stub
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC response message.

Parameters
  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • opnum – Number of the RPC operation.

  • stub – The data for the response.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request_stub, dce_rpc_response

Zeek::DHCP

DHCP analyzer

Components

Analyzer::ANALYZER_DHCP

Types

DHCP::Msg
Type

record

op: count

Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY

m_type: count

The type of DHCP message.

xid: count

Transaction ID of a DHCP session.

secs: interval

Number of seconds since client began address acquisition or renewal process

flags: count

ciaddr: addr

Original IP address of the client.

yiaddr: addr

IP address assigned to the client.

siaddr: addr

IP address of the server.

giaddr: addr

IP address of the relaying gateway.

chaddr: string

Client hardware address.

sname: string &default = "" &optional

Server host name.

file_n: string &default = "" &optional

Boot file name.

A DHCP message. .. zeek:see:: dhcp_message

DHCP::Addrs
Type

vector of addr

A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.

See also: dhcp_message

DHCP::SubOpt
Type

record

code: count

value: string

DHCP Relay Agent Information Option (Option 82) .. zeek:see:: dhcp_message

DHCP::SubOpts
Type

vector of DHCP::SubOpt

DHCP::ClientFQDN
Type

record

flags: count

An unparsed bitfield of flags (refer to RFC 4702).

rcode1: count

This field is deprecated in the standard.

rcode2: count

This field is deprecated in the standard.

domain_name: string

The Domain Name part of the option carries all or part of the FQDN of a DHCP client.

DHCP Client FQDN Option information (Option 81)

DHCP::ClientID
Type

record

hwtype: count

hwaddr: string

DHCP Client Identifier (Option 61) .. zeek:see:: dhcp_message

DHCP::Options
Type

record

options: index_vec &optional

The ordered list of all DHCP option numbers.

subnet_mask: addr &optional

Subnet Mask Value (option 1)

routers: DHCP::Addrs &optional

Router addresses (option 3)

dns_servers: DHCP::Addrs &optional

DNS Server addresses (option 6)

host_name: string &optional

The Hostname of the client (option 12)

domain_name: string &optional

The DNS domain name of the client (option 15)

forwarding: bool &optional

Enable/Disable IP Forwarding (option 19)

broadcast: addr &optional

Broadcast Address (option 28)

vendor: string &optional

Vendor specific data. This can frequently be unparsed binary data. (option 43)

nbns: DHCP::Addrs &optional

NETBIOS name server list (option 44)

addr_request: addr &optional

Address requested by the client (option 50)

lease: interval &optional

Lease time offered by the server. (option 51)

serv_addr: addr &optional

Server address to allow clients to distinguish between lease offers. (option 54)

param_list: index_vec &optional

DHCP Parameter Request list (option 55)

message: string &optional

Textual error message (option 56)

max_msg_size: count &optional

Maximum Message Size (option 57)

renewal_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)

rebinding_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)

vendor_class: string &optional

This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)

client_id: DHCP::ClientID &optional

DHCP Client Identifier (Option 61)

user_class: string &optional

User Class opaque value (Option 77)

client_fqdn: DHCP::ClientFQDN &optional

DHCP Client FQDN (Option 81)

sub_opt: DHCP::SubOpts &optional

DHCP Relay Agent Information Option (Option 82)

auto_config: bool &optional

Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)

auto_proxy_config: string &optional

URL to find a proxy.pac for auto proxy config (Option 252)

time_offset: int &optional

The offset of the client’s subnet in seconds from UTC. (Option 2)

time_servers: DHCP::Addrs &optional

A list of RFC 868 time servers available to the client. (Option 4)

name_servers: DHCP::Addrs &optional

A list of IEN 116 name servers available to the client. (Option 5)

ntp_servers: DHCP::Addrs &optional

A list of IP addresses indicating NTP servers available to the client. (Option 42)

Events

dhcp_message
Type

event (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)

Generated for all DHCP messages.

Parameters
  • c – The connection record describing the underlying UDP flow.

  • is_orig – Indicate if the message came in a packet from the originator/client of the udp flow or the responder/server.

  • msg – The parsed type-independent part of the DHCP message. The message type is indicated in this record.

  • options – The full set of supported and parsed DHCP options.

Zeek::DNP3

DNP3 UDP/TCP analyzers

Components

Analyzer::ANALYZER_DNP3_TCP

Analyzer::ANALYZER_DNP3_UDP

Events

dnp3_application_request_header
Type

event (c: connection, is_orig: bool, application: count, fc: count)

Generated for a DNP3 request header.

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • fc – function code.

dnp3_application_response_header
Type

event (c: connection, is_orig: bool, application: count, fc: count, iin: count)

Generated for a DNP3 response header.

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • fc – function code.

  • iin – internal indication number.

dnp3_object_header
Type

event (c: connection, is_orig: bool, obj_type: count, qua_field: count, number: count, rf_low: count, rf_high: count)

Generated for the object header found in both DNP3 requests and responses.

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • obj_type – type of object, which is classified based on an 8-bit group number and an 8-bit variation number.

  • qua_field – qualifier field.

  • number – TODO.

  • rf_low – the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values.

  • rf_high – in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index.

dnp3_object_prefix
Type

event (c: connection, is_orig: bool, prefix_value: count)

Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • prefix_value – The prefix.

dnp3_header_block
Type

event (c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count)

Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • len – the “length” field in the DNP3 Pseudo Link Layer.

  • ctrl – the “control” field in the DNP3 Pseudo Link Layer.

  • dest_addr – the “destination” field in the DNP3 Pseudo Link Layer.

  • src_addr – the “source” field in the DNP3 Pseudo Link Layer.

dnp3_response_data_object
Type

event (c: connection, is_orig: bool, data_value: count)

Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16_t, or int8_t; thus we use an additional data_value to record the values of those object data.

Parameters
  • c – The connection the DNP3 communication is part of.

  • is_orig – True if this reflects originator-side activity.

  • data_value – The value for those objects that carry their information here directly.

dnp3_attribute_common
Type

event (c: connection, is_orig: bool, data_type_code: count, leng: count, attribute_obj: string)

Generated for DNP3 attributes.

dnp3_crob
Type

event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 1

Parameters

CROB – control relay output block

dnp3_pcb
Type

event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 2

Parameters

PCB – Pattern Control Block

dnp3_counter_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag

dnp3_counter_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag

dnp3_counter_32woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag

dnp3_counter_16woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag

dnp3_frozen_counter_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag

dnp3_frozen_counter_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag

dnp3_frozen_counter_32wFlagTime
Type

event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time

dnp3_frozen_counter_16wFlagTime
Type

event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time

dnp3_frozen_counter_32woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag

dnp3_frozen_counter_16woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag

dnp3_analog_input_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag

dnp3_analog_input_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag

dnp3_analog_input_32woFlag
Type

event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag

dnp3_analog_input_16woFlag
Type

event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag

dnp3_analog_input_SPwFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag

dnp3_analog_input_DPwFlag
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag

dnp3_frozen_analog_input_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag

dnp3_frozen_analog_input_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag

dnp3_frozen_analog_input_32wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze

dnp3_frozen_analog_input_16wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze

dnp3_frozen_analog_input_32woFlag
Type

event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag

dnp3_frozen_analog_input_16woFlag
Type

event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag

dnp3_frozen_analog_input_SPwFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag

dnp3_frozen_analog_input_DPwFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag

dnp3_analog_input_event_32woTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time

dnp3_analog_input_event_16woTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time

dnp3_analog_input_event_32wTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time

dnp3_analog_input_event_16wTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time

dnp3_analog_input_event_SPwoTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time

dnp3_analog_input_event_DPwoTime
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time

dnp3_analog_input_event_SPwTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time

dnp3_analog_input_event_DPwTime
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precision float point with time

dnp3_frozen_analog_input_event_32woTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time

dnp3_frozen_analog_input_event_16woTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time

dnp3_frozen_analog_input_event_32wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time

dnp3_frozen_analog_input_event_16wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time

dnp3_frozen_analog_input_event_SPwoTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time

dnp3_frozen_analog_input_event_DPwoTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time

dnp3_frozen_analog_input_event_SPwTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time

dnp3_frozen_analog_input_event_DPwTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count)

Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time

dnp3_file_transport
Type

event (c: connection, is_orig: bool, file_handle: count, block_num: count, file_data: string)

g70

dnp3_debug_byte
Type

event (c: connection, is_orig: bool, debug: string)

Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.

Zeek::DNS

DNS analyzer

Components

Analyzer::ANALYZER_CONTENTS_DNS

Analyzer::ANALYZER_DNS

Events

dns_message
Type

event (c: connection, is_orig: bool, msg: dns_msg, len: count)

Generated for all DNS messages.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • is_orig – True if the message was sent by the originator of the connection.

  • msg – The parsed DNS message header.

  • len – The length of the message’s raw representation (i.e., the DNS payload).

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_request
Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)

Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS requests. For requests with multiple queries, this event is raised once for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • query – The queried name (normalized to all lowercase).

  • qtype – The queried resource record type.

  • qclass – The queried resource record class.

  • original_query – The queried name, with the original case kept intact

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_rejected
Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)

Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • query – The queried name (normalized to all lowercase).

  • qtype – The queried resource record type.

  • qclass – The queried resource record class.

  • original_query – The queried name, with the original case kept intact

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_query_reply
Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)

Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for each entry in the Question section of a DNS reply.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • query – The queried name.

  • qtype – The queried resource record type.

  • qclass – The queried resource record class.

  • original_query – The queried name, with the original case kept intact

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_A_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • a – The address returned by the reply.

See also: dns_AAAA_reply, dns_A6_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_AAAA_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • a – The address returned by the reply.

See also: dns_A_reply, dns_A6_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_A6_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • a – The address returned by the reply.

See also: dns_A_reply, dns_AAAA_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_NS_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • name – The name returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_CNAME_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • name – The name returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_PTR_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • name – The name returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_SOA_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • soa – The parsed SOA value.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_WKS_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_HINFO_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, cpu: string, os: string)

Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_MX_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count)

Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • name – The name returned by the reply.

  • preference – The preference for name specified by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_TXT_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • strs – The textual information returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_SPF_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type SPF. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • strs – The textual information returned by the reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_CAA_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)

Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • flags – The flags byte of the CAA reply.

  • tag – The property identifier of the CAA reply.

  • value – The property value of the CAA reply.

dns_SRV_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count)

Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • target – Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot.

  • priority – Priority of the SRV response – the priority of the target host, lower value means more preferred.

  • weight – Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred.

  • p – Port of the SRV response – the TCP or UDP port on which the service is to be found.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_unknown_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer)

Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_SRV_reply, dns_end

dns_EDNS_addl
Type

event (c: connection, msg: dns_msg, ans: dns_edns_additional)

Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The parsed EDNS reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_EDNS_ecs
Type

event (c: connection, msg: dns_msg, opt: dns_edns_ecs)

Generated for DNS replies of type EDNS. For replies with multiple options, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • opt – The parsed EDNS option.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_EDNS_tcp_keepalive
Type

event (c: connection, msg: dns_msg, opt: dns_edns_tcp_keepalive)

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 11. For replies with multiple option fields, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. See RFC7828 for more information about EDNS0 TCP keepalive. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • opt – The parsed EDNS Keepalive option.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

Type

event (c: connection, msg: dns_msg, opt: dns_edns_cookie)

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 10. For replies with multiple options fields, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. See RFC7873 for more information about EDNS0 cookie. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • opt – The parsed EDNS Cookie option.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_TSIG_addl
Type

event (c: connection, msg: dns_msg, ans: dns_tsig_additional)

Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The parsed TSIG reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_end, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

dns_RRSIG
Type

event (c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)

Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • rrsig – The parsed RRSIG record.

dns_DNSKEY
Type

event (c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)

Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • dnskey – The parsed DNSKEY record.

dns_NSEC
Type

event (c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)

Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • next_name – The parsed next secure domain name.

  • bitmaps – vector of strings in hex for the bit maps present.

dns_NSEC3
Type

event (c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)

Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • nsec3 – The parsed RDATA of Nsec3 record.

dns_NSEC3PARAM
Type

event (c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr)

Generated for DNS replies of type NSEC3PARAM. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • nsec3param – The parsed RDATA of NSEC3PARAM record.

dns_DS
Type

event (c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)

Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • ds – The parsed RDATA of DS record.

dns_BINDS
Type

event (c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr)

Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • binds – The parsed RDATA of BIND-Signing state record.

dns_SSHFP
Type

event (c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string)

Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • binds – The parsed RDATA of BIND-Signing state record.

dns_LOC
Type

event (c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr)

Generated for DNS replies of type LOC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • loc – The parsed RDATA of LOC type record.

dns_SVCB
Type

event (c: connection, msg: dns_msg, ans: dns_answer, svcb: dns_svcb_rr)

Generated for DNS replies of type SVCB (General Purpose Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • svcb – The parsed RDATA of SVCB type record.

dns_HTTPS
Type

event (c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_rr)

Generated for DNS replies of type HTTPS (HTTPS Specific Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. Since SVCB and HTTPS records share the same wire format layout, the argument https is dns_svcb_rr. For replies with multiple answers, an individual event of the corresponding type is raised for each.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

  • ans – The type-independent part of the parsed answer record.

  • https – The parsed RDATA of HTTPS type record.

dns_end
Type

event (c: connection, msg: dns_msg)

Generated at the end of processing a DNS packet. This event is the last dns_* event that will be raised for a DNS query/reply and signals that all resource records have been passed on.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

Parameters
  • c – The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

  • msg – The parsed DNS message header.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_SPF_reply, dns_WKS_reply, dns_mapping_altered, dns_mapping_lost_name, dns_mapping_new_name, dns_mapping_unverified, dns_mapping_valid, dns_message, dns_query_reply, dns_rejected, dns_request, dns_max_queries, dns_session_timeout, dns_skip_addl, dns_skip_all_addl, dns_skip_all_auth, dns_skip_auth

Zeek::File

Generic file analyzer

Components

Analyzer::ANALYZER_FTP_DATA

Events

file_transferred
Type

event (c: connection, prefix: string, descr: string, mime_type: string)

Generated when a TCP connection associated w/ file data transfer is seen (e.g. as happens w/ FTP or IRC).

Parameters
  • c – The connection over which file data is transferred.

  • prefix – Up to 1024 bytes of the file data.

  • descr – Deprecated/unused argument.

  • mime_type – MIME type of the file or “<unknown>” if no file magic signatures matched.

Zeek::Finger

Finger analyzer

Components

Analyzer::ANALYZER_FINGER

Types

spicy::AddressFamily
Type

enum

spicy::AddressFamily_IPv4
spicy::AddressFamily_IPv6
spicy::AddressFamily_Undef
spicy::BitOrder
Type

enum

spicy::BitOrder_LSB0
spicy::BitOrder_MSB0
spicy::BitOrder_Undef
spicy::ByteOrder
Type

enum

spicy::ByteOrder_Little
spicy::ByteOrder_Big
spicy::ByteOrder_Network
spicy::ByteOrder_Host
spicy::ByteOrder_Undef
spicy::Charset
Type

enum

spicy::Charset_ASCII
spicy::Charset_UTF8
spicy::Charset_Undef
spicy::DecodeErrorStrategy
Type

enum

spicy::DecodeErrorStrategy_IGNORE
spicy::DecodeErrorStrategy_REPLACE
spicy::DecodeErrorStrategy_STRICT
spicy::DecodeErrorStrategy_Undef
spicy::Protocol
Type

enum

spicy::Protocol_TCP
spicy::Protocol_UDP
spicy::Protocol_ICMP
spicy::Protocol_Undef
spicy::RealType
Type

enum

spicy::RealType_IEEE754_Single
spicy::RealType_IEEE754_Double
spicy::RealType_Undef
spicy::ReassemblerPolicy
Type

enum

spicy::ReassemblerPolicy_First
spicy::ReassemblerPolicy_Undef
spicy::Side
Type

enum

spicy::Side_Left
spicy::Side_Right
spicy::Side_Both
spicy::Side_Undef
spicy::Direction
Type

enum

spicy::Direction_Forward
spicy::Direction_Backward
spicy::Direction_Undef

Events

finger_request
Type

event (c: connection, full: bool, username: string, hostname: string)

Generated for Finger requests.

See Wikipedia for more information about the Finger protocol.

Parameters
  • c – The connection.

  • full – True if verbose information is requested (/W switch).

  • username – The request’s user name.

  • hostname – The request’s host name.

See also: finger_reply

finger_reply
Type

event (c: connection, reply_line: string)

Generated for Finger replies.

See Wikipedia for more information about the Finger protocol.

Parameters
  • c – The connection.

  • reply_line – The reply as returned by the server

See also: finger_request

Zeek::FTP

FTP analyzer

Components

Analyzer::ANALYZER_FTP

Analyzer::ANALYZER_FTP_ADAT

Types

ftp_port
Type

record

h: addr

The host’s address.

p: port

The host’s port.

valid: bool

True if format was right. Only then are h and p valid.

A parsed host/port combination describing server endpoint for an upcoming data transfer.

See also: fmt_ftp_port, parse_eftp_port, parse_ftp_epsv, parse_ftp_pasv, parse_ftp_port

Events

ftp_request
Type

event (c: connection, command: string, arg: string)

Generated for client-side FTP commands.

See Wikipedia for more information about the FTP protocol.

Parameters
  • c – The connection.

  • command – The FTP command issued by the client (without any arguments).

  • arg – The arguments going with the command.

See also: ftp_reply, fmt_ftp_port, parse_eftp_port, parse_ftp_epsv, parse_ftp_pasv, parse_ftp_port

ftp_reply
Type

event (c: connection, code: count, msg: string, cont_resp: bool)

Generated for server-side FTP replies.

See Wikipedia for more information about the FTP protocol.

Parameters
  • c – The connection.

  • code – The numerical response code the server responded with.

  • msg – The textual message of the response.

  • cont_resp – True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.

See also: ftp_request, fmt_ftp_port, parse_eftp_port, parse_ftp_epsv, parse_ftp_pasv, parse_ftp_port

Functions

parse_ftp_port
Type

function (s: string) : ftp_port

Converts a string representation of the FTP PORT command to an ftp_port.

Parameters

s – The string of the FTP PORT command, e.g., "10,0,0,1,4,31".

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also: parse_eftp_port, parse_ftp_pasv, parse_ftp_epsv, fmt_ftp_port

parse_eftp_port
Type

function (s: string) : ftp_port

Converts a string representation of the FTP EPRT command (see RFC 2428) to an ftp_port. The format is "EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>", where <d> is a delimiter in the ASCII range 33-126 (usually |).

Parameters

s – The string of the FTP EPRT command, e.g., "|1|10.0.0.1|1055|".

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also: parse_ftp_port, parse_ftp_pasv, parse_ftp_epsv, fmt_ftp_port

parse_ftp_pasv
Type

function (str: string) : ftp_port

Converts the result of the FTP PASV command to an ftp_port.

Parameters

str – The string containing the result of the FTP PASV command.

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also: parse_ftp_port, parse_eftp_port, parse_ftp_epsv, fmt_ftp_port

parse_ftp_epsv
Type

function (str: string) : ftp_port

Converts the result of the FTP EPSV command (see RFC 2428) to an ftp_port. The format is "<text> (<d><d><d><tcp-port><d>)", where <d> is a delimiter in the ASCII range 33-126 (usually |).

Parameters

str – The string containing the result of the FTP EPSV command.

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also: parse_ftp_port, parse_eftp_port, parse_ftp_pasv, fmt_ftp_port

fmt_ftp_port
Type

function (a: addr, p: port) : string

Formats an IP address and TCP port as an FTP POR