base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

dce_rpc_alter_context: event

Generated for every DCE-RPC alter context request message.

dce_rpc_alter_context_resp: event

Generated for every DCE-RPC alter context response message.

dce_rpc_bind: event

Generated for every DCE-RPC bind request message.

dce_rpc_bind_ack: event

Generated for every DCE-RPC bind request ack message.

dce_rpc_message: event

Generated for every DCE-RPC message.

dce_rpc_request: event

Generated for every DCE-RPC request message.

dce_rpc_request_stub: event

Generated for every DCE-RPC request message.

dce_rpc_response: event

Generated for every DCE-RPC response message.

dce_rpc_response_stub: event

Generated for every DCE-RPC response message.

Detailed Interface

Events

dce_rpc_alter_context
Type

event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

Parameters

  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • uuid – The string interpreted uuid of the endpoint being requested.

  • ver_major – The major version of the endpoint being requested.

  • ver_minor – The minor version of the endpoint being requested.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response, dce_rpc_alter_context_resp

dce_rpc_alter_context_resp
Type

event (c: connection, fid: count)

Generated for every DCE-RPC alter context response message.

Parameters

  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response, dce_rpc_alter_context

dce_rpc_bind
Type

event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

Parameters

  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • uuid – The string interpreted uuid of the endpoint being requested.

  • ver_major – The major version of the endpoint being requested.

  • ver_minor – The minor version of the endpoint being requested.

See also: dce_rpc_message, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response

dce_rpc_bind_ack
Type

event (c: connection, fid: count, sec_addr: string)

Generated for every DCE-RPC bind request ack message.

Parameters

  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • sec_addr – Secondary address for the ack.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_request, dce_rpc_response

dce_rpc_message
Type

event (c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType)

Generated for every DCE-RPC message.

Parameters

  • c – The connection.

  • is_orig – True if the message was sent by the originator of the TCP connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ptype_id – Numeric representation of the procedure type of the message.

  • ptype – Enum representation of the procedure type of the message.

See also: dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response

dce_rpc_request
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC request message.

Parameters

  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • opnum – Number of the RPC operation.

  • stub_len – Length of the data for the request.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_response, dce_rpc_request_stub

dce_rpc_request_stub
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC request message.

Parameters

  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • opnum – Number of the RPC operation.

  • stub – The data for the request.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_response_stub, dce_rpc_request

dce_rpc_response
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC response message.

Parameters

  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • opnum – Number of the RPC operation.

  • stub_len – Length of the data for the response.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request, dce_rpc_response_stub

dce_rpc_response_stub
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC response message.

Parameters

  • c – The connection.

  • fid – File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

  • ctx_id – The context identifier of the data representation.

  • opnum – Number of the RPC operation.

  • stub – The data for the response.

See also: dce_rpc_message, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_request_stub, dce_rpc_response