base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek¶
-
GLOBAL¶
| Namespace: | GLOBAL |
|---|
Summary¶
Events¶
dce_rpc_alter_context: event |
Generated for every DCE-RPC alter context request message. |
dce_rpc_alter_context_resp: event |
Generated for every DCE-RPC alter context response message. |
dce_rpc_bind: event |
Generated for every DCE-RPC bind request message. |
dce_rpc_bind_ack: event |
Generated for every DCE-RPC bind request ack message. |
dce_rpc_message: event |
Generated for every DCE-RPC message. |
dce_rpc_request: event |
Generated for every DCE-RPC request message. |
dce_rpc_response: event |
Generated for every DCE-RPC response message. |
Detailed Interface¶
Events¶
-
dce_rpc_alter_context¶ Type: event(c:connection, fid:count, ctx_id:count, uuid:string, ver_major:count, ver_minor:count)Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Uuid: The string interpretted uuid of the endpoint being requested. Ver_major: The major version of the endpoint being requested. Ver_minor: The minor version of the endpoint being requested. See also:
dce_rpc_message,dce_rpc_bind,dce_rpc_bind_ack,dce_rpc_request,dce_rpc_response,dce_rpc_alter_context_resp
-
dce_rpc_alter_context_resp¶ Type: event(c:connection, fid:count)Generated for every DCE-RPC alter context response message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. See also:
dce_rpc_message,dce_rpc_bind,dce_rpc_bind_ack,dce_rpc_request,dce_rpc_response,dce_rpc_alter_context
-
dce_rpc_bind¶ Type: event(c:connection, fid:count, ctx_id:count, uuid:string, ver_major:count, ver_minor:count)Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Uuid: The string interpretted uuid of the endpoint being requested. Ver_major: The major version of the endpoint being requested. Ver_minor: The minor version of the endpoint being requested. See also:
dce_rpc_message,dce_rpc_bind_ack,dce_rpc_request,dce_rpc_response
-
dce_rpc_bind_ack¶ Type: event(c:connection, fid:count, sec_addr:string)Generated for every DCE-RPC bind request ack message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Sec_addr: Secondary address for the ack. See also:
dce_rpc_message,dce_rpc_bind,dce_rpc_request,dce_rpc_response
-
dce_rpc_message¶ Type: event(c:connection, is_orig:bool, fid:count, ptype_id:count, ptype:DCE_RPC::PType)Generated for every DCE-RPC message.
C: The connection. Is_orig: True if the message was sent by the originator of the TCP connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ptype_id: Numeric representation of the procedure type of the message. Ptype: Enum representation of the prodecure type of the message. See also:
dce_rpc_bind,dce_rpc_bind_ack,dce_rpc_request,dce_rpc_response
-
dce_rpc_request¶ Type: event(c:connection, fid:count, ctx_id:count, opnum:count, stub_len:count)Generated for every DCE-RPC request message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Opnum: Number of the RPC operation. Stub_len: Length of the data for the request. See also:
dce_rpc_message,dce_rpc_bind,dce_rpc_bind_ack,dce_rpc_response
-
dce_rpc_response¶ Type: event(c:connection, fid:count, ctx_id:count, opnum:count, stub_len:count)Generated for every DCE-RPC response message.
C: The connection. Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe. Ctx_id: The context identifier of the data representation. Opnum: Number of the RPC operation. Stub_len: Length of the data for the response. See also:
dce_rpc_message,dce_rpc_bind,dce_rpc_bind_ack,dce_rpc_request