base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

dce_rpc_alter_context: event

Generated for every DCE-RPC alter context request message.

dce_rpc_alter_context_resp: event

Generated for every DCE-RPC alter context response message.

dce_rpc_bind: event

Generated for every DCE-RPC bind request message.

dce_rpc_bind_ack: event

Generated for every DCE-RPC bind request ack message.

dce_rpc_message: event

Generated for every DCE-RPC message.

dce_rpc_request: event

Generated for every DCE-RPC request message.

dce_rpc_request_stub: event

Generated for every DCE-RPC request message.

dce_rpc_response: event

Generated for every DCE-RPC response message.

dce_rpc_response_stub: event

Generated for every DCE-RPC response message.

Detailed Interface

Events

dce_rpc_alter_context
Type

event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Uuid

The string interpreted uuid of the endpoint being requested.

Ver_major

The major version of the endpoint being requested.

Ver_minor

The minor version of the endpoint being requested.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response, dce_rpc_alter_context_resp

dce_rpc_alter_context_resp
Type

event (c: connection, fid: count)

Generated for every DCE-RPC alter context response message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response, dce_rpc_alter_context

dce_rpc_bind
Type

event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Uuid

The string interpreted uuid of the endpoint being requested.

Ver_major

The major version of the endpoint being requested.

Ver_minor

The minor version of the endpoint being requested.

See also: dce_rpc_message, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response

dce_rpc_bind_ack
Type

event (c: connection, fid: count, sec_addr: string)

Generated for every DCE-RPC bind request ack message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Sec_addr

Secondary address for the ack.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_request, dce_rpc_response

dce_rpc_message
Type

event (c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType)

Generated for every DCE-RPC message.

C

The connection.

Is_orig

True if the message was sent by the originator of the TCP connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ptype_id

Numeric representation of the procedure type of the message.

Ptype

Enum representation of the procedure type of the message.

See also: dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response

dce_rpc_request
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC request message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub_len

Length of the data for the request.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_response, dce_rpc_request_stub

dce_rpc_request_stub
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC request message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub

The data for the request.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_response_stub, dce_rpc_request

dce_rpc_response
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC response message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub_len

Length of the data for the response.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response_stub

dce_rpc_response_stub
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC response message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub

The data for the response.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request_stub, dce_rpc_response