Zeek_DCE_RPC.events.bif.zeek¶

GLOBAL¶

Namespace: GLOBAL

Summary¶

Events¶

`dce_rpc_alter_context`: `event`	Generated for every DCE-RPC alter context request message.
`dce_rpc_alter_context_resp`: `event`	Generated for every DCE-RPC alter context response message.
`dce_rpc_bind`: `event`	Generated for every DCE-RPC bind request message.
`dce_rpc_bind_ack`: `event`	Generated for every DCE-RPC bind request ack message.
`dce_rpc_message`: `event`	Generated for every DCE-RPC message.
`dce_rpc_request`: `event`	Generated for every DCE-RPC request message.
`dce_rpc_request_stub`: `event`	Generated for every DCE-RPC request message.
`dce_rpc_response`: `event`	Generated for every DCE-RPC response message.
`dce_rpc_response_stub`: `event`	Generated for every DCE-RPC response message.

Detailed Interface¶

Events¶

dce_rpc_alter_context ¶

Type: event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Uuid: The string interpretted uuid of the endpoint being requested.
Ver_major: The major version of the endpoint being requested.
Ver_minor: The minor version of the endpoint being requested.

dce_rpc_alter_context_resp ¶

Type: event (c: connection, fid: count)

Generated for every DCE-RPC alter context response message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

dce_rpc_bind ¶

Type: event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Uuid: The string interpretted uuid of the endpoint being requested.
Ver_major: The major version of the endpoint being requested.
Ver_minor: The minor version of the endpoint being requested.

dce_rpc_bind_ack ¶

Type: event (c: connection, fid: count, sec_addr: string)

Generated for every DCE-RPC bind request ack message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Sec_addr: Secondary address for the ack.

dce_rpc_message¶

Type: event (c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType)

Generated for every DCE-RPC message.

C: The connection.
Is_orig: True if the message was sent by the originator of the TCP connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ptype_id: Numeric representation of the procedure type of the message.
Ptype: Enum representation of the prodecure type of the message.

dce_rpc_request ¶

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC request message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Opnum: Number of the RPC operation.
Stub_len: Length of the data for the request.

dce_rpc_request_stub¶

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC request message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Opnum: Number of the RPC operation.
Stub: The data for the request.

dce_rpc_response¶

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC response message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Opnum: Number of the RPC operation.
Stub_len: Length of the data for the response.

dce_rpc_response_stub¶

Type: event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC response message.

C: The connection.
Fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.
Ctx_id: The context identifier of the data representation.
Opnum: Number of the RPC operation.
Stub: The data for the response.