base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek¶
-
GLOBAL
¶
Namespace: | GLOBAL |
---|
Summary¶
Events¶
dce_rpc_alter_context : event |
Generated for every DCE-RPC alter context request message. |
dce_rpc_alter_context_resp : event |
Generated for every DCE-RPC alter context response message. |
dce_rpc_bind : event |
Generated for every DCE-RPC bind request message. |
dce_rpc_bind_ack : event |
Generated for every DCE-RPC bind request ack message. |
dce_rpc_message : event |
Generated for every DCE-RPC message. |
dce_rpc_request : event |
Generated for every DCE-RPC request message. |
dce_rpc_request_stub : event |
Generated for every DCE-RPC request message. |
dce_rpc_response : event |
Generated for every DCE-RPC response message. |
dce_rpc_response_stub : event |
Generated for every DCE-RPC response message. |
Detailed Interface¶
Events¶
-
dce_rpc_alter_context
¶ Type: event
(c:connection
, fid:count
, ctx_id:count
, uuid:string
, ver_major:count
, ver_minor:count
)Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Uuid: The string interpretted uuid of the endpoint being requested. Ver_major: The major version of the endpoint being requested. Ver_minor: The minor version of the endpoint being requested. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
,dce_rpc_alter_context_resp
-
dce_rpc_alter_context_resp
¶ Type: event
(c:connection
, fid:count
)Generated for every DCE-RPC alter context response message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
,dce_rpc_alter_context
-
dce_rpc_bind
¶ Type: event
(c:connection
, fid:count
, ctx_id:count
, uuid:string
, ver_major:count
, ver_minor:count
)Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Uuid: The string interpretted uuid of the endpoint being requested. Ver_major: The major version of the endpoint being requested. Ver_minor: The minor version of the endpoint being requested. See also:
dce_rpc_message
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
-
dce_rpc_bind_ack
¶ Type: event
(c:connection
, fid:count
, sec_addr:string
)Generated for every DCE-RPC bind request ack message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Sec_addr: Secondary address for the ack. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_request
,dce_rpc_response
-
dce_rpc_message
¶ Type: event
(c:connection
, is_orig:bool
, fid:count
, ptype_id:count
, ptype:DCE_RPC::PType
)Generated for every DCE-RPC message.
C: The connection. Is_orig: True if the message was sent by the originator of the TCP connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ptype_id: Numeric representation of the procedure type of the message. Ptype: Enum representation of the prodecure type of the message. See also:
dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response
-
dce_rpc_request
¶ Type: event
(c:connection
, fid:count
, ctx_id:count
, opnum:count
, stub_len:count
)Generated for every DCE-RPC request message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Opnum: Number of the RPC operation. Stub_len: Length of the data for the request. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_response
,dce_rpc_request_stub
-
dce_rpc_request_stub
¶ Type: event
(c:connection
, fid:count
, ctx_id:count
, opnum:count
, stub:string
)Generated for every DCE-RPC request message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Opnum: Number of the RPC operation. Stub: The data for the request. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_response_stub
,dce_rpc_request
-
dce_rpc_response
¶ Type: event
(c:connection
, fid:count
, ctx_id:count
, opnum:count
, stub_len:count
)Generated for every DCE-RPC response message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Opnum: Number of the RPC operation. Stub_len: Length of the data for the response. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request
,dce_rpc_response_stub
-
dce_rpc_response_stub
¶ Type: event
(c:connection
, fid:count
, ctx_id:count
, opnum:count
, stub:string
)Generated for every DCE-RPC response message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Opnum: Number of the RPC operation. Stub: The data for the response. See also:
dce_rpc_message
,dce_rpc_bind
,dce_rpc_bind_ack
,dce_rpc_request_stub
,dce_rpc_response